Professional Documents
Culture Documents
Mastering Operational Risk by Tony Blunden John Thirlwell PDF
Mastering Operational Risk by Tony Blunden John Thirlwell PDF
Operational
Tony Blunden is an Executive Director of Chase Operational risk arises in all businesses. It
Cooper, a risk management solutions company that A practical guide to understanding is a broad term and can relate to internal
focuses on the financial sector to provide solutions
for enterprise risk, operational risk, Sarbanes–Oxley,
operational risk and how to manage it processes, people and systems, as well
as external events. All listed companies,
credit and market risk. He heads its consultancy
risk
charities and the public sector must make risk
division. Tony’s journalism includes numerous articles
Operational risk is a constant concern for all businesses. It goes far beyond operations judgements and assessments and company
on operational risk issues and related matters for
Operational Risk and Compliance, New Banking and process, to encompass all aspects of business risk, including strategic and managers have an increasing responsibility to
Frontiers, The Scottish Banker and Complinet. He reputational risks. Within financial services, it became codified by the Basel Committee ensure that these assessments are robust and
is the co-author of Risk-Based Compliance (2001) on Banking Supervision in the 1990s. It is something that needs to be taken seriously that risk management is at the heart of their
(Butterworths) and has contributed to Mastering by all those involved in running, managing and leading companies. organisations.
Derivatives (First Ed. 1996/Second Ed. 2003/Third Ed.
2006) (FT Prentice Hall), The Euromoney Derivatives Mastering Operational Risk is a comprehensive guide which takes you from the basic • P rovides an invaluable framework for the In this practical guide, Tony Blunden and
and Risk Management Handbook 2001/02 (2001)
(Euromoney), Operational Risk: Regulation, Analysis
elements of operational risk, through to its advanced applications. Focusing on
practical aspects, the book gives you everything you need to help you understand what
management of operational risk John Thirlwell, recognised experts in risk
management, show you how to manage
and Management (2002) (FT Prentice Hall) and
Managing Business Risk (2003) Kogan Page Limited. operational risk is, how it affects you and your business and provides a framework for
managing it.
• Helps you identify and manage risk appetite operational risk and show why operational risk
management really will add benefits to your
John Thirlwell has worked in financial services for
over 30 years and for the last 15 years has been Mastering Operational Risk:
• Provides a practical approach to applying business.
BLUNDEN &THIRLWELL
Association where he was heavily involved in • Covers the essential basic concepts through to advanced management practices • Risk and control assessment
negotiating the current operational risk regulatory
framework for banks and founded and chaired the
• Uses examples and case studies and explains how to avoid mistakes
operational risk • How to use operational risk indicators
• Reporting operational risk
BBA’s Global Operational Loss Database. He is a
• Provides scenario analysis and modelling techniques for you to apply to your
Fellow of the Institute of Operational Risk. He has business • Modelling and stress-testing operational risk
written a regular column for Operational Risk and • Business continuity and insurance
Regulation magazine, articles on risk issues for Risk,
• Managing people risk
The Treasurer, PFI Journal and the Chartered Institute
of Bankers. He was the co-author of A Guide to • Containing reputational damage
Business Continuity Management (2001) (BBA/KPMG),
senior reviewer of Operational Risk Handbook (2001–4)
(Chartered Institute of Securities & Investment), and
has written chapters for Advanced Operational Risk
(2002) and Basel Handbook (2003)(Risk Waters).
FINANCE
That’s why we work with the best minds in business and finance
to bring cutting-edge thinking and best learning practice to a
global market.
tony blunden
john thirlwell
Edinburgh Gate
Harlow CM20 2JE
Tel: +44 (0)1279 623623
Fax: +44 (0)1279 431059
Website: www.pearsoned.co.uk
The rights of Tony Blunden and John Thirlwell to be identified as authors of this
work have been asserted by them in accordance with the Copyright, Designs and
Patents Act 1988.
Pearson Education is not responsible for the content of third party internet sites.
ISBN: 978-0-273-72732-3
10 9 8 7 6 5 4 3 2 1
14 13 12 11 10
Preface xiii
Acknowledgements xv
The authors xvi
3 Governance 37
Introduction 38
Operational risk management framework 39
Operational risk policy 42
Operational risk appetite 43
Roles and responsibilities statements 55
Glossary 60
Timeline 62
vii
6 Indicators 115
Introduction 116
Key performance indicators and key risk indicators 117
Establishing KRIs and KCIs 118
Targets and thresholds 121
Periodicity 123
Identifying the leading and lagging indicators 124
Action plans 125
Dashboards 125
Summary 126
viii
7 Reporting 129
Introduction 130
Common issues 130
Basic principles 132
Report definition 135
Reporting styles and techniques 136
Dashboard reporting 141
Summary 143
8 Modelling 145
Introduction 146
Previous approaches to operational risk modelling 147
Towards an inclusive approach 155
Distributions and correlations 157
Practical problems in combining internal and external data 158
Confidence levels and ratings 161
Obtaining business benefits from capital modelling 162
Obtaining business benefits from qualitative modelling 166
Summary 171
ix
11 Insurance 215
Operational risk and insurance 216
Insurance speaks to cause 216
Buying insurance 217
The insurance carrier 222
Alternative risk transfer mechanisms 222
Conclusion 226
13 Outsourcing 247
What is outsourcing? 248
Outsourcing – transforming operational risk 248
Deciding to outsource 249
The outsourcing project – getting it right at the start 252
Risk assessment 253
Some tips on the request for proposal 255
Selecting the provider 255
Some tips on service level agreements 260
Managing the project 262
Exit strategy 266
xi
Risk management has taken a knock over the past few years, as the financial
crisis has unfolded. But perhaps the problem was not so much a failure of risk
management as such, as its absence from strategic and other decisions.
That is why we believe Mastering Operational Risk is both timely and a
reminder that good risk management is fundamental to good business manage-
ment. And, as we show in Chapter 2, good operational risk management can
bring real business benefits. It is as much about opportunities as it is about
threats: so it demands imagination and the flexibility to adapt to a rapidly
changing risk environment.
Operational risk emerged as a risk discipline in its own right in finan-
cial services in the early 1990s. However, it was influenced by events in the
‘hazard’ industries and took on board methods which were already being used
in energy, nuclear, space and transport, where operational risk as we now know
it, was simply good risk management.
For us, operational risk goes far beyond operations and process to encompass
all aspects of business risk, including strategic and reputational risks. Its man-
agement is not a complicated science, as much as a very human art which lies
at the heart of all business decisions.
Mastering Operational Risk came about because we both passionately believe
that there is a need for a book that sets out a practical framework for oper-
ational risk management, rather than one which is academic and quantitative
in its approach. It has been written by practitioners for practitioners.
Given our professional backgrounds, and given where operational risk man-
agement has been developed over the past decade, Mastering Operational Risk
is grounded in financial services, but the core elements are equally applicable
to all sectors and to those who have to make business judgements. Since oper-
ational risk covers all aspects of business and involves everybody who works in
the business or deals with it, we hope that it will provide useful tips for the
beginner as well as the seasoned professional.
The core of the book is a risk management framework which provides a
practical structure for managing this most slippery of risks. At its heart lie
the critical processes of risk and control assessment and the use of loss events
and indicators, all within an overarching governance structure. It tackles head-
on the thorny subject of operational risk appetite – for a risk which takes in
xiii
the unknown unknowns as well as the known unknowns. And although fun-
damentally this is a book about management, it also covers ways in which
operational risk can be modelled and measured. It includes a business approach
to modelling operational risk, which places the tool of modelling back in the
hands of management, using the fundamental operational risk processes.
Of course, stuff happens which is unavoidable. But unavoidable does not
mean unmanageable. That is why we have included chapters on both repu-
tation risk – and how to deal with reputation crises – as well as business
continuity. And as so much of operational risk is ultimately down to people
failures, people risk is a key risk which is fully covered in its own chapter.
Mastering Operational Risk represents the distillation of two lifetimes of ex-
perience in operational risk management, during which we have enjoyed so
many conversations with friends and colleagues about taming this exotic
beast. A number of them have been kind enough to read individual chapters
or in other ways to provide invaluable advice and suggestions: Rees Aaronson,
Andrew Bryan, Ian Hilder, Mark Johnson, Charlotte Kiddy, Tim Landsman,
Roger Miles, John Naish, Bruce Nichols, John Renz, Nick Symons and
Rosemary Todd. To them go our especial thanks. Any sins of omission or com-
mission, though, are entirely our own. Special thanks also to our editors, Chris
Cudmore and Mary Lince, who have provided much needed encouragement
and guidance.
Finally, we should like to thank our families for their constant support and
for having to live lives, probably more than most, surrounded by operational
risk.
ACB
JRWT
xiv
xv
Tony Blunden
Tony has worked in the City of London for over
30 years, primarily within risk management,
compliance and related areas in financial services
organisations. He is Head of Consulting and a
Board member of Chase Cooper.
Tony’s areas of focus are the identification and
development of clients’ need; the development
of Chase Cooper’s profile and product set; and
the provision of both public and bespoke train-
ing to clients. Tony has advised and guided over
50 clients and previous client engagements have
included risk frameworks and governance; risk
and control assessments; indicators of key risks and key controls; event and
loss databases and their use; modelling of operational risk; risk reporting;
and stress testing and scenario analysis. He is developing the integration of
operational risk data with six sigma techniques in order to bring business
benefit through control and process improvement.
Tony has spoken at over 100 international risk and compliance conferences
and has appeared on television and radio. He is also a well-known author
of articles and chapters on risk management and compliance having pub-
lished around 30 documents. He is a Fellow of the Institute of Chartered
Secretaries and Administrators and a Member of the Examinations Board of
the Chartered Institute of Securities and Investment.
xvi
John Thirlwell
John has worked in financial services in the City
of London for over 30 years. He was Chief Risk
Officer and a director of an investment bank
and, for the last 15 years, has been an execu-
tive and non-executive director of a number of
banking and insurance firms. He was a director
of the British Bankers’ Association where he
was responsible for negotiating the operational
risk aspects of the Basel Capital Accord and EU
Capital Requirements Directive. He founded
and chaired the BBA’s Global Operational Loss
Database.
He has been chairman of the UK Financial Services and Insurance
Committee of the International Chamber of Commerce and has sat on advi-
sory groups on risk and operational risk for the Bank of England, Financial
Services Authority, Financial Services Skills Council, Chartered Institute of
Securities and Investment, and Lloyd’s Market Association.
John is well known internationally as a speaker and writer on operational
risk and on risk management and governance and is a Fellow of the Institute
of Operational Risk and of the Chartered Institute of Bankers. He graduated
from the University of Oxford and is chairman of trustees of the Bankside
Gallery, London.
xvii
Dateline: North Atlantic, 400 miles south of the Grand Banks of Newfoundland,
23.50, 14 April 1912
On its maiden voyage, RMS Titanic hits an iceberg which buckles the hull,
causing five compartments to fill with water (the ship was designed to sur-
vive if up to four failed) and the ship to sink. Inadequate construction, lack of
escalation procedures to handle ice warnings and, critically, inadequate lifeboat
provisions lead to the deaths of 1517 of the 2223 on board.
Dateline: Bligh Reef, Prince William Sound, 00.04, 23 March 1989, Exxon Valdez
As a result of failures to adhere to appropriate work patterns, to provide navi-
gation watch and, on the part of coast guards, to provide an effective traffic
system through the Sound, the Exxon Valdez oil tanker strikes the reef, shed-
ding some 40 million litres of oil. The spill results in the collapse of the local
marine population and is disastrous to the local economy.
governance and lack of clear reporting lines had enabled Leeson to generate
trading losses of $1.3bn, twice the capital of the bank. The 232–year old bank
was forced into insolvency and administration.
The road to operational risk, like the road from Moscow in the winter of 1812,
has been long and arduous. In 1345, when the Black Death was raging across
continental Europe and priests proclaimed the end of the world, Thomas
Aquinas, philosopher, and saint as he later became, wrote, ‘The world has
never been more full of risk.’ Over 650 years later, people continue to have the
same view, but now global warming, terrorism or even the rise of global capi-
talism keeps them awake at night. And of course pandemics continue to haunt
us, whether it is SARS, or avian or swine flu.
Whether or not the world is more risky, awareness of risk is undoubtedly
high. That in part reflects changes in society in which risk assessment and risk
tolerance are increasingly democratised. Various forms of activism, whether
by consumers or non-governmental organisations, allied to a society which
appears increasingly unable to accept personal risk responsibility, mean that
we no longer allow risk assessment, and especially risk tolerance, to be left in
the hands of governments or ‘experts’.
Not that activism is a new phenomenon. In response to social, and therefore
political, pressure, often by trade unions or other forms of organised labour,
numerous laws and regulations relating to health and safety in workplaces
and elsewhere have been coming steadily onto the statute book since the nine-
teenth century. The first Mining Acts passed into law in 1803.
The interesting thing about these comments and the events at the start of
this chapter is that they all form part of what is now known as operational risk.
It is a very broad church. As those events show, one of the big problems of
operational risk management, and indeed any form of risk management, is that
we do not know the risks we face now or in the future, but we must act as if
we do. Risk management implies that something can be done to reduce, if not
eliminate, the likelihood and impact of danger and uncertainty.
But there is always the possibility that something will go wrong, whether
through a failure in a process, human failures or simply because something
unexpected happens in the external environment. Of all these, the most unpre-
dictable, and the ones most likely to cause serious problems, are human failures
and external events. That does not mean that these unpredictable factors are
unmanageable. But it does mean that we need to approach operational risk
management intelligently, with a humble acceptance of its limitations. If we
do not, operational risk management becomes a risk in itself as it falls foul of
an expectation that it is in some way a panacea for all our troubles. Risk man-
agement means neither risk avoidance nor risk elimination.
Even financial services regulators seem to have recognised the limitations of
risk management. In the immediate aftermath of the financial crisis of 2007/9
they publicly climbed down from the pinnacle of risk-based regulation or super-
vision to the more practical level of outcomes-based regulation. Developing a
climate of intelligent questioning is both the challenge and the opportunity for
operational risk managers – and probably for regulators as well.
Having said that, risk is an integral part of life which has to be man-
aged. In business life it has been increasingly enshrined in codes of corporate
governance since the early 1990s. The Cadbury Report (1992) was the first
of these, leading to the UK’s first Combined Code of corporate govern-
ance, which was published in 1999, along with the Turnbull Report on
internal controls. Cadbury was closely followed by the Toronto Report in
Canada and King Report in South Africa (1994) and similar reports and rec-
ommendations in Australia and France in 1995. The OECD Principles of
Corporate Governance, which were first published in 1999, include the
paragraph:
‘An area of increasing importance for boards and which is closely related
to corporate strategy is risk policy. Such policy will involve specifying the
types and degree of risk that a company is willing to accept in pursuit of
its goals. It is thus a crucial guideline for management that must manage
risks to meet the company’s desired risk profile.’1
The discipline of operational risk management itself probably emerged first
in those ‘hazard’ or ‘safety critical’ industries or activities where the effect of
failure can be catastrophic, whether in terms of lives lost or environments
destroyed – nuclear, space, defence, pharmaceuticals, energy and transport.
And it also had an honourable tradition in manufacturing, where the manage-
ment of production lines and health and safety are vitally important.
Against this background, some time in the 1990s, operational risk emerged
in the financial services sector as a term to identify a particular set of risks.
Folk memory suggests that its emergence as a separate discipline was triggered
by the Barings case in 1995. But it was being considered before that, partly as
a result of events and failures which proved to banks that lending might be the
least of their worries. Many were also conscious of events in other industries,
such as the Piper Alpha rig disaster in 1988.
Not that it was much different for medieval bankers several centuries before.
Their businesses failed as much because their communities and customers suf-
fered from war, plague and famine, as they did from imprudent lending to
defaulting sovereigns or states. Operational risk has always been with us.
Before we consider practical ways of managing it, though, we will first
establish what exactly we mean in this book by operational risk.
Defining
as ‘. . .something risk happen and its effect(s) on the achievement of objectives’2, which
that might
Perhaps the first thing to decide is what we mean by risk? The word came into
echoes a Standard which had been in use in Australia and New Zealand. AS/NZS 4360:2004
the English language in the seventeenth century from the Italian risco or rischio,
spoke of riskmeaning
as beinghazard or chance
‘. . . the danger.of Some elementhappening
something of that appeared in aimpact
that will definition given . . .’.
objectives
by the Royal Society in 1992, ‘the chance, in quantitative terms, of a defined
hazard occurring’.
In the latest revision this has becomeThis has ‘thetheeffect
meritofofuncertainty
introducing onthe concept of(ISO
objectives’ probabil-
31000:2009),
ity or uncertainty, but its accent on defined hazards implies that it concerns
‘known
which shifts the unknowns’.
emphasis back from effect to cause. The subject of risk becomes ‘something
Two other definitions of risk introduce a key element, impact on objectives,
that might happen’.
which will Webe area now moving
running theme intothroughout
‘unknown this unknowns’
book. Theterritory.
British Standard
on Risk Management defines risk as ‘something that might happen and its
People often sayon
effect(s) that
therisk is a threat of
achievement to objectives’.
objectives,2 something
This echoeswhich negatively
a Standard whichaffects
had those
been in use in Australia and New Zealand, AS/NZS 4360:2004, which spoke
objectives orofthreatens the factors
risk as being whichofmake
‘the chance a business
something successful.
happening that willHowever, the two
impact objectives
. . .’. In the latest international standard this has become ‘the effect of uncer-
definitions mentioned above, do not
tainty on objectives’ (ISOspeak of threats,which
31000:2009), they speak
shifts of
theimpacts.
emphasisRisk backand risk
from
effect to cause. The subject of risk becomes ‘something that might happen’.
management can be about opportunities as much as threats. As Peter Bernstein has expressed it
We are now moving into ‘unknown unknowns’ territory.
People often say that risk is a threat to objectives, something which nega-
in Against the Gods, when discussing the theories of the seventeenth century Swiss
tively affects those objectives or threatens the factors which make a business
mathematician, successful. However, the
Daniel Bernoulli, ‘Risk two definitions
is not something mentioned above,
to be faced, butdo notofspeak
a set of
opportunities
threats, they speak of impacts. Risk and risk management can be about oppor-
tunities as much as threats. As Peter Bernstein has expressed it in Against the
open to choice’.
Gods, when discussing the theories of the seventeenth century Swiss math-
Readersematician,
may be familiarDanielwith the notion
Bernoulli, ‘Riskthat in Chinese
is not somethingthe concept of risk
to be faced, butisa represented
set of
opportunities open to choice.’
by two characters which ‘translate’
In Chinese, the concept as of
danger
risk isand opportunity.
represented by twoIn characters
fact, the characters
which ‘trans- for crisis
late’ as danger and opportunity. In fact, the characters for crisis (rather than
(rather than danger)
danger) areare wei
wei ji ((危机)) and and the the characters
characters forfor opportunity
opportunity areare jiji hui ((机会)),, so it’s
so it’s probably truer to say that the character ji forms part of the concepts for
crisis and opportunity, which still shows that conceptually the Chinese under-
probably truer to say that the character ji forms part of the concepts for crisis and opportunity,
stood the twin sides of risk many centuries ago.
Loss
which still shows of conceptually
that one or more key thestaff,
Chineseloss of reputationthe
understood or twin
abandoning
sides ofa risk
project
many maycenturies
well have an adverse financial impact, but even then it is possible that they can
ago. result in financial benefit both in the short and medium term. When some-
thing happens, it may even help you to achieve and surpass your objectives.
Loss of Those
one orobjectives
more key can staff,
beloss of profits,
sales, reputation, or abandoning
market a projectelse,
share or something maysuchwellashave an
the behavioural objectives discussed in Chapter 14, People risk. Disciplines of
adverse financial impact, but even
risk management then itthat
will mean is possible that theyascan
you are prepared result
much forin
thefinancial
upside asbenefit
for both
the downside. Risk is not downhill all the way, even if it often feels like it.
in the short and medium term. When something happens, it may even help you to achieve and
7
surpass your objectives. Those objectives can be sales, profits, market share or something other,
such as the behavioural objectives discussed in Chapter 14, People risk. Disciplines of risk
M01_BLUN7323_01_SE_C01.indd 7 29/06/2010 09:52
Part 1 · Setting the scene
But even the Basel Committee limited its own definition by adding a rider
that it included legal risk, but excluded strategic and reputational risk.6
Legal risk – the risk of capricious legislators, of capricious judges and juries,
or of finding that documentation is inadequate to sustain a claim against a
debtor – is a perfectly legitimate risk to include within operational risk. But
it has a sister risk, regulatory risk, which is little spoken of (by regulators), yet
which consistently features high in the CSFI’s annual ‘Banana Skins’ surveys.7
Until recently, that probably reflected irritation with the burden of ‘too much’
regulation, rather than the biggest genuine threat to the business. Now it might
well begin to encompass decisions by legislators and regulators, in the wake of
the financial crisis, which will have considerable impact on business models.
The one outsider is reputation risk, which is not really a direct risk in itself,
but is usually the result or consequence of an operational risk failure. It was prob-
ably excluded from the Basel Committee’s definition on the basis that it was too
difficult to assess. As it is a secondary consequence of another risk, an argument
can be made for its exclusion. However, many firms in all industries not unrea-
sonably consider it their biggest risk by far (see Chapter 15, Reputation risk).
What emerges is that, whilst it might be permissible to exclude strategic
risk, i.e. making the wrong strategic decision for the business, or reputation
risk, operational risk nevertheless encompasses practically all the risks of run-
ning the business, apart from any which deserve specific treatment. Perhaps
the ‘negative’ definition isn’t so bad after all.
Definition ERM is the culture, processes and tools to identify strategic opportun-
ities and reduce uncertainty. It is a comprehensive view of risk both from
operational and strategic perspectives and is a process that supports the
reduction of uncertainty and promotes the exploration of opportunities.9
10
Liquidity risk
Market/product Underwriting
Operational
risk risk
risk
(including
strategic risk)
ERM undoubtedly covers all the various risk categories. But for us, operational
risk is essentially business risk and at the heart of business risk management.
That is the view taken in this book, but how you define operational risk is up
to you. Your definition must go with the grain of your firm and all firms are
different in their business, culture and people. But define it, or scope it, you
must, because how you define it will determine how you classify it and assess it
and how it is managed in your firm. Your definition is the cornerstone of any
operational risk policy.
11
wholesale transactions. But they tend to go into the books as credit losses.
Similarly, in the market trading environment, a significant number of what are
recorded as market losses are operational risk losses: for example, ‘fat finger’,
where the wrong key is struck or an order is mis-typed and you buy when you
should have sold, or buy, for example, the Japanese recruitment agency J-Com
rather than the cable television group JCom.10�
Taking the example to a different level from the purely transactional, failure
to adequately stress test market risk models against extreme market move-
ments is a form of operational risk. It reflects a failure of internal controls
over the stress testing function. Its impact, though, may not be on an indi-
vidual transaction, but on the general level of market risk to which the firm is
exposed and may well feed through into significant losses. Is that market risk
or operational risk?
As with so much about operational risk, it is very much up to you and
the nature of your firm and how you wish to allocate losses and manage your
risks. What is meant by operational risk – how far you push the boundaries
out or pull them in – is entirely up to you. Your risk management framework
should reflect the ways you work within the firm. In many cases the answer is
straightforward, but not at the boundaries.
The downside of allocating risks by risk type at this higher level is that
if you try to extract quantitatively the operational risks which have tra-
ditionally been included in credit and market risk data, you add other risks
to the problem – the subjectivity of allocation and the breaking of a relatively
homogeneous time series of data. Even if you decide that you will keep the
boundaries tight – and traditional – you should at least track and record those
incidents where an operational failure has resulted in loss. The real object of
the exercise is operational risk management, not operational risk measurement.
Operational risk is ultimately about failure of controls – or even lack of
controls – so that operational risk management is about establishing and main-
taining an effective and cost-effective control environment across all risks. The
fact is that operational risk crosses boundaries (and steps on toes) and involves
everybody at different levels and in different ways. It gets into the micro-
politics, as well as the macro-politics of the firm.
12
In a very broad sense, the answers to the risks in the right-hand column will be
‘Yes’ and those under operational risk will be ‘No’. Let’s look at them in turn.
Transaction-based
Operational risk obviously occurs each time a transaction is undertaken, but
it doesn’t depend on transactions for its existence. Before a firm opens its
doors and transacts any business, it is exposed to operational risk in the guise
of, for example, fire, theft or flood. The right-hand column risks are entirely
transaction-based.
Assumed proactively
Practically all financial services are about the assumption and management of
risk, whether it is a bank lending money, an insurer underwriting or a dealer
trading currencies or bonds. With other types of business, management of credit
and liquidity risk, and of market or commodity risk, may be an inevitable part
of the business, but not the reason the firm is in business. But as we said earlier,
operational risk is essentially unavoidable, whether we like it or not. There are
exceptions, such as where a firm takes on another firm’s processing under an out-
sourcing arrangement – for a fee. But generally operational risk is something to
be reduced and controlled, rather than actively taken on and increased.
13
information the financial losses (or profits) which result from them, but you
will rarely find one of them listed as a line in the general ledger unless, per-
haps, that item is fraud. As a result, it is extremely difficult to obtain accurate
information on the costs of operational risk. So, for reporting, we have to rely
considerably on human honesty and human reporting, rather than data feeds
from the accounting system.
This is another consequence of operational risk not being transaction-based.
If it were, innumerable bits of data relating to it could be attached to each
transaction and it could be comprehensively assessed, analysed and monitored.
But it is not. Nor are all its impacts financial.
14
a trading market, even if investors wanted one. Credit and market risk, as
people have belatedly discovered, are only too readily tradeable.
So the answer is that operational risk is intrinsically different from other
risks and therefore needs a different toolset with which to manage it, as we
shall see in the operational risk management framework which forms the cen-
tral part of this book.
Table 1.3 The chain of causality and some major operational risk events
Year Cause Event Effect/consequence
1986 Dangerous design of Chernobyl nuclear Severe release of
reactor and control rods; reactor disaster radioactivity (four times
unauthorised changes to Hiroshima bomb) across
procedures; inadequate Russia and Europe (60%
safety culture. in Belarus); evacuation
and resettlement of
336,000 people; probable
4000 additional deaths
from cancer.
1991 Over-dominant chief; Collapse of Maxwell Hundreds of millions
complexity and lack Communications of pounds stolen from
of transparency in exployees’ pension funds
organisation; lack of of Maxwell companies.
internal controls; failure
to act on warning signals;
inadequate auditing; fraud.
2001 Rise of Islamic World Trade Center 3000 deaths in World
fundamentalism; failure of (9/11) terrorist attack Trade Center; destruction
intelligence; inadequate of WTC 1 and 2; second
air defence systems; lax Iraq war; global security
airport security. crackdown.
2001 Illegal meat imports; Foot and mouth 4 million sheep and cattle
failure to comply with crisis (UK) slaughtered and burnt;
regulations by one world-wide ban on exports
farmer; lack of resources of British livestock and
for cull; failure to meat; UK tourism suffered
appreciate changes in an £8–9bn loss in 2001
patterns of movements of as countryside and tourist
animals around the UK. attractions involving
animals were closed;
UK government suffered
£3bn cost in tax lost and
compensation paid.
2003 New and highly SARS near- Air travel restricted;
contagious form of pandemic in 37 quarantine; disinfectant
atypical pneumonia. countries arrangements.
2003 Failure of alarm system; NE USA power 11 power stations in NE
failure to trim trees which failure USA offline, affecting
put high voltage power 55 million people; water
lines out of service. contamination; transport
and communications
disrupted.
2005 Failure to maintain levees, Hurricane Katrina Over 1800 deaths; 80%
as contingency against of New Orleans flooded;
a potentially severe damage estimated at
hurricane, allowed water more than $100bn.
from Lake Pontchartrain
to flow into New Orleans.
Repeat of flood disasters
of 1915, 1947 and 1965.
16
17
18
to a low level. But we have to balance the costs of comprehensive and volumi-
nous reporting with the benefits, and concentrate on the information which
best tells us what we need to know.
Operational risk events are very often the results of people failures (see
Chapter 14, People risk). That is why, in Chapter 4, Risk and control assess-
ment, we concentrate on both the design and performance of controls. The
design is all about the system and process. The performance of a control is usu-
ally about people. If all staff are not engaged, controls will fail and the costs of
that can be considerable.
Buy-in comes from communication, especially communicating why we are
doing what we do. Why do we assess both inherent and residual risks? After
all, the ‘reds’ amongst the inherent or gross risks tell us where we’re most
likely to have a disaster. They may, but the chances are that you are doing
something about them. So you need to find out and constantly monitor how
effective the controls you have in place are to bring them down to an accept-
able residual or net level. Explaining and communicating why we are doing
what we do in operational risk management means that management becomes
clear in its own mind and that other staff will understand the purpose and ben-
efits. That way, we shall achieve real buy-in.
And of course buy-in can extend beyond the firm. If there are critical third-
party dependencies, perhaps agents, sub-contractors or outsourcing suppliers,
they need to be part of the communication network and embrace the firm’s
operational risk standards.
19
precision. The financial crisis of 2007–9 showed, amongst other things, the
dangers of relying on numbers whose limitations were not understood.
There are many numbers in operational risk, losses being the most painful
ones. But operational risk is not about management by numbers. It is about
managing people and circumstances which are constantly changing and where
judgements, even when based as far as possible on hard evidence, are necessar-
ily subjective. That’s one argument for colours (or words) in operational risk
reports, rather than apparently precise numbers.
The other one is that numbers are not as accessible as colours and good oper-
ational risk management happens as a result of good communication. In almost
every chapter of the framework we show reports which owe their accessibility
to the fact that they use colours to tell the story. A picture tells a thousand
words. In operational risk, a colour tells a thousand numbers.
20
Reporting
The first challenge is to set up a system, and a culture, in which reporting of
events and ‘near misses’ is what we do, rather than what we try not to do. We
will report events, because everybody in the firm accepts and understands that
it is only by comprehensive reporting that we can understand what is actually
happening; understand what major incident may threaten; and pursue a policy
of continuous improvement. If you look at most disasters, whether financial
or non-financial, you will find that they generally owe their origin to human
frailty of one form or another, of which the most dangerous is the failure to
learn. The evidence is all around us, but we choose to ignore it and not to learn
the lessons. And another disaster strikes. Intelligent operational risk manage-
ment demands that we see and analyse the evidence and learn from it.
Once the data is gathered, the next challenge is to ensure that reports up
and down the organisation are meaningful and useful; that they highlight the
key risks the firm is facing and that reporting of risks, near misses, indicators
and so forth is coordinated. Effective reporting should also involve causal an-
alysis so that we can understand what really happened and can work out what
to do to control our risks better. All reports, and all the information in them,
should lead to action. If a report is not intended to lead to action, drop it.
21
can be put away for a year, or even more frequently, until it comes up again in
the diary. It is part of the everyday process of management, for which a pro-
cedures manual is not the answer. It needs to be in the blood.
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
22
23
handled with care, as is shown in Chapter 9. But because they rely on stories
involving the real world of work, they can be a powerful means of involving
staff and of getting buy-in. Stress tests and scenarios are themselves one aspect
of modelling. As we shall see in Chapter 8, all the elements we have discussed
in this section can be used in modelling and add significantly to the business
benefits which can be derived. Good modelling, using risk and control assess-
ments, for instance, can assist in a cost–benefit analysis of the controls used by
a firm and the allocation of resources to new or improved controls.
But before we go into the detail of the framework, we need to get buy-in.
Buy-in comes from showing that operational risk management really does add
business benefit, which is the subject of the next chapter.
Notes
1 OECD, Principles of Corporate Governance, 2004. An index of all codes of corporate
governance around the world can be found on the website of the European Corporate
Governance Institute at www.ecgi.org/codes/all_codes.php.
2 BS31100 Code of Practice for Risk Management.
3 Bank for International Settlements, Basel II: International Convergence of Capital
Measurement and Capital Standards: A Revised Framework – Comprehensive Version, June
2006.
4 RMA, British Bankers’ Association, ISDA, PricewaterhouseCoopers, Operational Risk –
the next frontier, 1999. The original definition read: ‘The risk of direct or indirect loss
resulting from inadequate or failed processes, people and systems, and from external
events.’
5 Basel II, Annex 9.
6 Basel II, para 644.
7 See www.csfi.org for CSFI’s various banana skin surveys.
8 Michael Power, Organized Uncertainty (Oxford: Oxford University Press), 2009, p. 126.
9 Risk and Insurance Management Society; see www.rims.org/ERM.
10 Jeremy Grant and Michael Mackenzie, ‘Ghost in the machine’, Financial Times, 18
February 2010.
11 Quoted in Peter L. Bernstein, Against the Gods (New York: John Wiley & Sons), 1998,
p. 118.
12 Ericson, R., Doyle, A. and Barry, D., Insurance as governance (Toronto: Toronto
University Press), 2003, quoted in Power, p. 13.
24
Introduction
Operational risk management as a marketing tool
Benefits of getting operational risk management right
Benefits beyond the framework
Business optimisation
25
Introduction
If you want to make the case for operational risk to senior management, you
need to get their attention. That means talking to their agenda, in other words
understanding and addressing their needs. Good operational risk management
is fundamentally about informed decision making. If your decision making is
better informed, your decisions are very likely to be better. Some of the funda-
mental elements of informed decision making with respect to operational risk
management are:
OO understanding the operational risk context of decisions (which is part of
governance, see Chapter 3)
OO distinguishing and differentiating your operational risks and how they are
controlled (which is part of risk and control assessment, see Chapter 4)
OO evaluating and assessing problems in the past (which is part of loss causal
analysis, see Chapter 5)
OO knowing where you are now (which is part of indicator analysis, see
Chapter 6)
OO knowing where you might be in the future (which is part of scenario
analysis, see Chapter 9)
OO allocating capital on an operational risk basis (which is part of model-
ling, see Chapter 8)
OO getting the right information on past events, the present state of the
operational risk environment and its possible future state (which is part
of reporting, see Chapter 7).
The alternative, of poor operational risk management, will almost certainly
lead to the business dying – either slowly, or suddenly because of a major oper-
ational risk event.
Good operational risk management will also help to instil a culture of con-
tinuous improvement and business optimisation. There are a number of links
between operational risk management, business optimisation and Six Sigma
and Lean management techniques which we will explore later in this chapter
(and which are also part of the business outcome from modelling operational
risk, see Chapter 8).
motoring risks. However, Volvo has very successfully managed to use an inevi-
table risk control as a marketing and sales differentiator.
Similarly, in the financial services sector, many firms go beyond the regula-
tory requirements for the reporting of operational risk within their reports and
accounts. The Basel Committee on Banking Supervision, in its new Accord
(Basel II) published in 2005,1 aimed to raise standards in banking, in part
through increased transparency of reporting. One of the three pillars of Basel II
was the disclosure of information about the bank’s risk management. However,
the regulatory disclosure requirements for operational risk were minimal com-
pared with those for credit risk. It is clear that firms perceive a competitive
advantage in making it clear to any reader that they identify, measure, monitor
and manage their operational risks thoroughly and so many go into some detail
explaining what they do. Where would you rather deposit your money? A firm
which is making a concerted effort in its operational risk management, or a
firm which is unable or unwilling to articulate what it does?
International and national accounting rules, and business review rules in the
UK, have also joined the trend by requiring increasing disclosure of risk in
the annual report and accounts. All of these are designed to bring risk man-
agement out into the open. But, again, many firms go beyond the minimum
standards and a ‘boilerplate’ approach and see marketing gain from what was
initially viewed as a tedious and oppressive necessity.
28
29
By creating risk and control data points which are outside the firm’s usual
experience, scenarios compensate for the subjective nature of risk and control
assessments and for the lack of internal loss data, which is a frequent prob-
lem for firms when assessing their operational risks. Likelihood and impact
assumptions are tested by subjecting them to extreme conditions. Similarly,
control design and performance assumptions are tested.
Scenarios are an excellent means of getting senior management attention;
as a result, they can frequently lead to a reinvigoration of the risk and control
assessment process. This is because scenarios should be performed by the senior
management team as a whole, so that a complete and realistic review of their
effects can be obtained. Scenarios also help senior management to move away
from a historic risk management approach, towards a serious consideration of
how the firm may look in the future.
30
activity can be prioritised, based on consistent scoring across the firm. Good
operational risk reporting will also generate management involvement and
consensus, which will drive the ongoing identification, assessment and control
of operational risk.
Senior management monitoring of operational risk performance will chal-
lenge the results of operational risk management activity and further embed
the firm’s approach to operational risk management. Risk ownership and
control ownership can be clarified through good reporting and assist in identi-
fying priorities for enhancing controls and the firm’s operational risk profile.
Business continuity
The benefit of a robust, tested and up-to-date business continuity plan should
be self-evident. Fundamentally, it is about survival. Business continuity, or
indeed any contingency arrangement, is an essential tool of operational risk
mitigation and uses the processes of operational risk in its creation and acti-
vation: risk assessment, scenarios and indicators. Just as with any other part
of operational risk management, business continuity helps you identify your
vulnerabilities. As we shall see in Chapter 10, you need to make sure that you
are a survivor. The stakes can be that high in getting business continuity right.
And, of course, if you can get back in business quickly, especially if an event
occurs which affects both you and your competitors, you will have an immedi-
ate competitive advantage.
A good business continuity plan might even mean that you can negotiate
a reduction in your business interruption policy premium, a point which we
pick up next.
Insurance
The fundamental benefit of insurance is, of course, risk transfer at an appropri-
ate cost. Operational risk is the flip-side of commercial insurance since, for the
most part, commercial insurance – property, key man, product liability, public
liability, directors’ and officers’ insurance – is there to cover operational risk.
31
Outsourcing
Outsourcing is another example where good operational risk management is
also good business management. If outsourcing is managed correctly, as we
show in Chapter 13, it has the huge advantage of placing the outsourced activ-
ity and its associated risks in the hands of somebody who can perform them
more efficiently than you: a good example, too, of operational risk manage-
ment being about opportunities and not just threats.
Outsourcing should enable higher transaction levels, improved speed and
quality of customer service and improved financial controls – another aspect of
improved operational risk management. And, of course, it should reduce costs
and improve profitability. But the primary aim, and most significant benefit,
is to make the business and its risk management more efficient.
People risk
As we explain in Chapter 14, our people are not just a firm’s greatest asset, but
can potentially be its greatest source of operational risk liability. Good people
risk management is a fundamental part of good operational risk management.
It encourages an environment in which risks are reported, so that lessons can
be learned – an environment of continuous improvement. A good people
environment will also be one where people are open to change and are able
to respond flexibly and quickly to business opportunities, as well as to threats
to the business. With good operational risk management in place, people can
genuinely become a firm’s greatest asset.
Reputation risk
Reputation risk can seriously damage your health and wealth. Since repu-
tation risk almost always results from the occurrence of an operational risk, it
follows that good operational risk management is a vital part of good repu-
tation risk management. If you can prevent a risk happening, you will have no
reputation risk to deal with. And if you are the only one of your competitors to
have avoided the risk, your reputation will inevitably be enhanced. In Chapter
32
15 we show some of the many ways in which reputation can be harmed, but
we also explain how operational risk management can reduce the chances of
reputation risk occurring, as well as how to deal with a reputational crisis if it
should occur. The costs of failure and the rewards of success are immeasurable.
Business optimisation
Operational risk management is not just about avoiding losses or reducing
their effect. It is also about finding opportunities for business benefit and con-
tinuous improvement. As we mentioned in the introduction to this chapter,
operational risk management can be used as the groundwork for Six Sigma
and Lean management approaches, as shown in Figure 2.1. The just-in-time
method of management relies on properly identifying, measuring, monitoring
and managing supply chain risks which are part of the universe of operational
risk. Additionally, quality circles rely on full and informed operational risk
management, as does total quality management.
The concepts of process improvement and business optimisation are funda-
mental parts of operational risk management and Six Sigma gives a structured
approach. The Six Sigma themes of focus on the customer and of fact-driven
proactive management are wholly compatible with good operational risk
management and many would argue are, indeed, the same themes as pervade
operational risk management. Further, the Six Sigma starting point of process
mapping can be very useful to operational risk management and gives business
benefit in its own right.
Interaction of operational risk management and Six Sigma and Lean Figure 2.1
management approaches
Process improvement
Objectives
33
At the business level, a robust and efficient operational risk system will
enable managers to react to events more quickly and with greater effectiveness.
At the board level, good operational risk management reduces the volatility of
performance and facilitates efficient resource and capital allocation.
From an investor point of view, operational risk management encourages
and allows an understanding of where shareholder value is being created or
destroyed. A good operational risk management system, fully embedded in the
business, will prevent any blindness to risk which may affect the profitabil-
ity of a business line or transaction. Risk and control perception is improved
through distilling a risk culture which leads to business optimisation. That
will be reflected in a firm’s credit rating. And it will also generate a significant
regulatory benefit in an improved relationship with the regulator, wherever
that is applicable. A further benefit is that if you get it right, you avoid paying
the lawyers!
Operational risk management is fundamental to successful business manage-
ment. It produces true business benefits in its own right. Having established
that principle, we can now go on to explore the operational risk management
framework in detail and get down to the practical mastery of operational risk.
Note
1 www.bis.org/publ/bcbsca118.htm
34
The framework
2
3. Governance
4. Risk and control assessment
5. Events and losses
6. Indicators
Introduction
Operational risk management framework
Operational risk policy
Operational risk appetite
Roles and responsibilities statements
Glossary
Timeline
37
Introduction
Good governance is the starting point for good operational risk management.
Given that risk management is vitally important to all firms, good operational
risk governance should be one of the board’s primary aims. It is essential for
the effective embedding of operational risk management into a firm’s everyday
activity. It is not a rigid set of rules, nor is it a box-ticking exercise, but the
basis of good business conduct.
Risk management has also become a focus of investor as well as supervi-
sory attention and investors are increasingly looking to firms for clear evidence
of good governance. As we saw in Chapter 1, there are numerous corporate
governance codes and requirements around the world which apply to the risk
management of any firm, particularly if it is publicly listed. The point of good
corporate governance is to establish a system which ensures effective account-
ability on the part of a board to investors and other stakeholders.
Operational risk governance is about the organisational structure of the firm
and accountabilities for operational risk management, including risk owner-
ship. It includes: the risk culture which the firm displays; the attitude of the
board and senior management to risk and its risk management staff; and may
include awareness sessions for both the board and staff. As was also said in
Chapter 1, culture is as much about the tune in the middle as the tone from
the top of the firm, so governance is the responsibility of everybody in the
firm, not just the board. A firm operating good governance will encourage dia-
logue and challenge on operational risks up and down the organisation.
The acid test that operational risk is embedded in the firm is how it uses
operational risk management methodologies and techniques in its day-to-day
management. This is often referred to as the ‘use test’. Can the firm demon-
strate that operational risks are considered fully when strategy is being set:
when a possible merger is being considered for instance; when a new product is
being mooted; indeed when any business decision is being made?
Operational risk governance, in common with other forms of corporate
governance, is about enabling the board and senior management to guide and
direct operational risk strategy and to review its effectiveness. From a practical
perspective, this will encompass:
OO a framework showing how to identify, measure, monitor and manage
operational risks
OO a policy document approved by the most senior executive body of
the firm
OO terms of reference for relevant bodies, departments and persons
OO a timeline for tracking and reviewing the development of operational
risk processes within the firm.
38
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
39
Frameworks can take many forms. Framework ‘A’ (Figure 3.2), for example,
is in the form of the familiar ‘temple’ image.
Assurance
Strategy and governance Identification and assessment Monitoring
Its three pillars are: strategy and governance, identification and assess-
ment, and monitoring. Within these can be found the elements of the
framework shown in Figure 3.1. Framework ‘A’ shows that a common
understanding and embedding of risk management is the fundamental
foundation. In this framework, assurance is shown as the key-stone and
over-arching process, rather than being part of governance.
Framework ‘B’ (Figure 3.3), interestingly, separately identifies governance
and structure, and strategy and policy. It shows the risk management cycle
of risk identification, risk assessment, management and mitigation, moni-
toring and reporting, but does not identify the processes which are used to
achieve that.
Framework ‘C’ (Figure 3.4), in common with Framework ‘A’, makes ref-
erence to independent assurance. It also shows the information flows from
reporting to strategy/goals and to and from reporting and independent assur-
ance. Once an informed strategy has been agreed, the firm can establish its
governance and risk management environment. In addition, Framework ‘C’
explicitly recognises that action plans are a central part of operational risk
management and that they can flow from risks, controls, indicators and loss
causal analysis.
40
ORM ORM
Governance Strategy and
and structure policy
Risk
identification
Risk
Reporting assessment/
quantification
RM process
Mitigation/
Monitoring
Management
Governance
Environment
Identify
Independent assurance
Analyse risks
near miss/loss
Strategy/goals
causes
Identify
Action controls
Monitor plans
indicators
Assess
Assess risks
controls
Reporting
41
applicable to any firms where operational risk management was initially car-
ried out by either internal audit or compliance. Clear roles for these three
areas must be documented. In smaller organisations, the three functions
often overlap. Extreme care should be taken, however, even in small firms,
to ensure the independence of internal audit (see Chapter 12, Internal audit).
OO A glossary of terms. It is vital that all staff have a clear explanation and
understanding of the various terms used in operational risk. Even seemingly
innocuous terms such as risk event, control and loss can give rise to confu-
sion if they are not clearly defined and understood.
In addition, policies will often have references to:
OO categories and sub-categories of risk and of operational risk
OO the role that central risk management plays in the firm (as compared
with the risk management units in the businesses)
OO how to deal with deviations from policy
OO how issues are escalated and resolved
OO risk reporting flows of information.
Many of these elements are dealt with elsewhere in the book, but it is worth
looking briefly at operational risk appetite, roles and responsibilities for oper-
ational risk management and give some suggestions of definitions which
might be helpful in compiling a glossary of operational risk terms.
The clause in square brackets gives more precision and is often included in def-
initions of risk appetite by more sophisticated firms which are further down
the road of risk modelling. Clearly this broad definition is as applicable to
operational risk as it is to other types of risk.
Trying to write a similar definition for operational risk appetite is more
difficult. One approach is to look at individual loss categories and to write
statements covering these.
43
44
45
OO ‘Zero deaths
OO Zero injuries to the public
OO Zero ruined lives among our people.’
Balfour Beatty has estimated that approximately half a million people
are working on their sites during a 12-month period, most of them sub-
contractors, and that figure excludes the public on and near their sites, for
whom they also accept responsibility. The project has an ambitiously low risk
appetite, but, as with all the best operational risk management strategies, it is
founded on good communication. The ‘Zero harm by 2012’ project slogan and
logo (see Figure 3.5) – ‘Zero Harm by 2012’ alongside a large zero in a strik-
ing shade of orange – are simple and powerful, and quickly and clearly convey
to employees and sub-contractors the company’s risk appetite.
46
senior management and the shareholders which lead to at least three levels of
appetite for any firm:
OO Senior management’s operational risk appetite is likely to be relatively
short term and focused on business opportunities which generate an appe-
tite which is inevitably bullish in nature, i.e. thresholds/targets are likely
to be significant in size. An example could be a merger, which will often
lead to acceptance of a considerable increase in operational risk to reflect
the period of significant change that will be involved. An intelligent senior
management will also increase its relevant operational risk thresholds.
OO The board’s risk appetite is likely to be longer term in nature and lower
than senior management’s. Continuing the merger example, the board
will state an operational risk threshold, perhaps in terms of the capital
it is willing to risk. This may well be exceeded by senior management,
even though it is attempting to manage to the board’s operational risk
policy threshold. The issue will then be resolved, depending on the
firm’s culture and processes of communication and reporting between
senior management and the board.
OO The shareholders’ risk appetite is likely to be the lowest of the three and
will probably be focused on the smallest possible volatility in earnings
consistent with a reasonable return.
It is important for the board periodically to review and challenge the risk
appetite which has been proposed by senior management. Following the
review or challenge the board should reconfirm its appetite, with appropriate
changes where necessary. During the challenge period, the board should assure
itself that senior management has considered all foreseeable emerging oper-
ational risks to which the firm may be subject and that appropriate processes
and resources are being utilised to manage them.
Within the firm there will also be different approaches to operational risk
appetite at each level, so that we need to ask the question: ‘At which level within
the firm are we considering our operational risk appetite?’ In any firm there are
at least four levels which have different approaches to operational risk appetite:
OO the board, who will frequently seek a risk appetite in terms of capital
(either economic or regulatory) and profit
OO senior management, who will tend to define operational risk appetite in
terms of risk and the action taken to manage and mitigate each risk
OO business units, which may well use the classic approach to operational
risk management of defining their operational risk appetite through risk
and control assessments, key risk indicators and loss data
OO business support functions, which mostly focus on key risk indicators
and loss data.
47
48
controls fail. It is a much larger figure than the expected loss, as it is usually at
a lower frequency and higher severity. It is, therefore, more difficult to identify
and calculate. Scenario analysis can be helpful when considering operational
risk appetite at an unexpected loss level (see Chapter 9, Stress tests and scen-
arios). If mathematical models are used in the calculation of unexpected losses,
the process will almost certainly be less accessible to most senior management,
unless they are given statistical training. Unexpected loss is effectively what a
firm’s capital and profits are there to absorb.
Absolute figures
At an individual risk level, the main link to the firm’s financials is through
the amount of loss that the firm is willing to accept in relation to that par-
ticular risk. One practical way of expressing the firm’s operational risk appetite
is therefore through the monetary loss which the firm is willing to accept for
each risk to the strategic objectives.
Figure 3.7 shows how a firm may deduce its risk appetite by considering its
actual losses against a loss distribution, with the capital determined at a spe-
cific confidence level. This can be done at an overall firm-wide loss level or at
Appetite
(tolerance)
Mean
49
a loss category level, where sufficient data exists to generate a reliable distribu-
tion and its analysis.
The board may decide that its acceptable risk tolerance lies at the mean of
the losses incurred over a given period of time for a particular risk. It can then
decide at what point on the curve it should identify thresholds, including for
the level of loss it considers unacceptable. Once this is established, risk assess-
ment can be matched to a scale of monetary values as a basis for risk appetite.
Ranges are assessed for the impact and likelihood of each risk, which are
used to calculate a mid-point for each band (see Figure 3.8). It is then a
simple matter for the mid-points for impact and likelihood to be multiplied
to achieve a heat map which can be coloured according to the appetite levels
already identified (see Figure 3.9).
50
From the format used in Figure 3.9 it is possible to see immediately which
risks in the risk assessment are outside the agreed appetite. At the bottom left-
hand corner, the values should be easily ignored as they are so small. If any
risks are in the top right-hand corner, immediate action should be taken as
these are considerably beyond acceptable levels.
51
Figure 3.10 Risk appetite using risk and control assessment scores
Computer applications
poorly specified
Systematic approach 200.0 Computer systems not
to IT strategy 180.0 adequately protected
160.0
140.0 Systems and processes not
IT dependency on people 120.0
adequately protected
100.0
80.0
Systems manuals 60.0 Systems and
and procedures 40.0 processes not
documentation 20.0 adequately protected
0.0
52
Risk appetite using KRI thresholds for ‘Number of help desk queries’ Figure 3.12
are failing the business and that there is a very high likelihood of a loss of the
entire system. In this event, there is clearly a senior management problem that
requires immediate attention. If ‘Number of help desk queries’ ever reached
those levels it would be likely to be referred to the board as loss of IT system is
a typical strategic risk. If ‘Number of help desk queries’ is 2 or fewer, the firm
should question whether or not there may be a problem with apathy in the firm
towards the help desk (due to the number of unanswered help desk queries, for
example) which may indicate probable likely failure of the IT system too.
53
In Figure 3.13 it can be seen that, by business line, there is a range of between
10 and 79 for the number of losses captured relating to external fraud. It may
be that the firm has different appetites for different business lines. For ex-
ample, external fraud may be more likely in retail parts of the firm, although
the impact is likely to be smaller than in the corporate and wholesale parts
such as Trading and Sales or Corporate Finance. However, a simple count
across the firm can be used for an appetite for external fraud and this may be
said to be no more than 20 losses in the period. If this is the case, four out of
the eight business lines have exceeded the firm’s appetite for external fraud.
This may result in an action plan to investigate the relevant controls in the
four delinquent business lines, perhaps carried out by internal audit.
54
massive internal fraud which has also undoubtedly exceeded the firm’s risk
appetite for this loss event type.
Board of directors
The board sets the tone and culture of the firm and also the business objec-
tives. In addition, it has a vital oversight role. Given this, it is important
that its role and responsibilities in operational risk are clearly articulated and
understood. The board should:
OO understand the operational risk profile
OO approve the operational risk policy and operational risk management
procedures
55
Audit committee
The roles and responsibilities of the audit committee in relation to internal
and external audit are considered more fully in Chapter 12, Internal audit.
Increasingly, boards are forming separate risk committees to maintain board
level oversight regarding risk management and reporting. The Walker Review
of governance in banks, which was instigated by the UK government in the
aftermath of the financial crisis of 2007/9, recommended that all FTSE-100
banks and other major financial institutions should establish a board risk com-
mittee separate from the audit committee.2� However, where this is not the
case, the audit committee should:
OO keep the firm’s internal controls and operational risk management sys-
tems under review
OO receive reports from management on the effectiveness of operational risk
management systems and of any tests carried out on them
OO review and approve any statements about operational risk management
contained in the company’s public financial reports.
56
compliance and other functions (line 2), and independent assurance via internal
and external audit (line 3). The executive operational risk committee is one of
the points where lines 1 and 2 come together. It should:
OO be chaired by the chief risk officer (or the CEO)
OO include the head of operational risk
OO include representatives from the business lines
OO receive reports, highlighting major operational risk issues
OO advise the board on operational risk appetite and tolerance for future
strategy, taking into account the board’s overall degree of risk aversion
and the current financial situation of the firm
OO develop quantitative as well as qualitative metrics for risk assessment
OO oversee a due diligence appraisal of the operational risks of any proposed
strategic transaction, particularly one involving acquisition or disposal –
even if operational risk management is or has been part of the project team
OO produce a separate annual report on its work, focusing on the govern-
ance of risk, the relevance of the committee’s work to current and future
risk strategy and recognising that there may be a potential overlap with
reporting by the audit committee
OO recognise that taking external advice is consistent with the board’s duty
of care, where sufficient skill or knowledge is lacking in a technical area
of operational risk.
Business lines
The ‘three lines of defence’ model explicitly recognises the primary role of the
business line in managing risk in a firm. Business lines are responsible for the
risks they generate. As part of their responsibilities for line operational risk
management they should:
OO develop operational risk awareness and an operational risk culture within
the business line
OO own the risks which they generate and their controls
OO own the operational risk profile and operational risk appetite of the busi-
ness line
OO identify and assess the relevant business line risks and their mitigating
controls in line with policy
OO monitor, manage and review their risks
OO manage and report incidents, events, losses and near misses in line with
policy and guidelines
OO keep risk exposures within limits and follow policies when limits are
breached, including escalation as appropriate
57
Internal audit
Although Chapter 12 deals extensively with the internal audit function, it is
worth commenting, in a chapter on governance, on the confusion there often
is between the internal audit function and the operational risk management
function. There shouldn’t be any confusion if it is clearly recognised that the
operational risk function has an oversight role (line 2 of the three lines of
defence in Figure 12.1), whilst internal audit is part of the independent assur-
ance process, line 3.
The confusion probably arose from the fact that operational risk started life
within internal audit on the basis that it was the only function which under-
stood all the firm’s internal processes. Operational risk managers should be
involved in establishing processes, with the business line, which cover all aspects
of operational risk and providing reports to the board and senior management.
It is internal audit’s responsibility to review those processes regularly, to assess
their effectiveness and to report on the review to the board. Internal audit pro-
vides assurance to the board that operational risk is effectively managed.
Of course, there will be liaison between the two functions, but internal
audit should not be involved in establishing processes or, for instance, produc-
ing scenario assessments. It is there to provide assurance and can hardly give
assurance on something on which it has been a party to creating.
Compliance function
There is also often confusion between the roles and responsibilities of the
compliance function and those of the operational risk management function,
although in this case both are part of the line 2 oversight function (see Figure
12.1). Whilst the compliance function primarily focuses on regulatory require-
ments, whatever the industry, these are a sub-set of the overall focus for the
operational risk management function, which has a broader and more business
oriented portfolio. In respect of operational risk management, the compliance
function will:
58
59
OO act as the operational risk adviser to the firm, and in particular guide
senior management in their operational risk management responsibilities
OO bring an operational risk focused viewpoint to strategic planning and
other activities of senior management
OO facilitate the implementation of the operational risk processes, providing
coaching and guidance to business line management
OO manage the process for setting the operational risk appetite
OO monitor and manage the firm’s overall exposure to operational risk
OO ensure a consistent approach to operational risk across the lines of
business
OO coordinate appropriate and timely reporting of operational risks
OO coordinate operational risk input to the risk committee and the board on
the firm’s risk profile, control infrastructure and any control failings or
weaknesses and actions taken
OO coordinate input to the regulators on relevant operational risk matters
OO liaise with the internal audit department.
Glossary
The importance of all staff having a clear understanding of operational
risk terms has already been highlighted. One way of ensuring that every-
body is speaking the same language is to provide a glossary of terms in the
operational risk policy document. Examples of terms and definitions which
might be included are as follows.
60
61
Timeline
The final part of governance is to implement the operational risk framework.
The timeline sets out the project timetable which incorporates the six main
operational risk processes and also important items such as staffing.
Given the number of interlinking processes in operational risk management,
a timeline to identify when each process is expected to be operational is impor-
tant to the necessarily phased introduction of operational risk management to
a firm. In addition, at some stage, the firm will need to implement a software
tool to capture and handle the significant amount of data being captured or
created. A timeline will assist the firm in deciding when a tool will be useful
and when or if it will be indispensable and plan accordingly.
The chart (see Figure 3.15 for an example) will also enable the efficient
management and review of the development of operational risk manage-
ment. Senior management and the board will find that they can more easily
understand the implications of changing the speed of the development of
operational risk.
If the governance is right, then almost certainly operational risk manage-
ment will be right. With proper operational risk governance in place, there
will be commitment from the top, acceptance through the middle, and policies
in place to establish the operational risk framework, which is what we shall
cover in the next few chapters.
Staffing Require’ts
review Recruitment/staffing
62
Notes
1 A registered trademark of Balfour Beatty plc, registered in England as a public limited
company; Registered No: 395826; Registered Office: 130 Wilton Road, London SW1V
1LQ. We are very grateful to Andy Rose, Group Managing Director, Balfour Beatty plc,
for his time and assistance in explaining the ‘zero harm’ project. For further information
about the ‘Zero harm’ project, see www.balfourbeatty.com/bby/responsibility/safety/
highlights/.
2 HM Treasury, A review of corporate governance in UK banks and other financial industry
entities, Final recommendations, 26 November 2009. www.hm-treasury.gov.uk/d/walker_
review_261109.pdf.
63
65
Business objectives/processes/activities
A risk and control assessment aims to capture the risks and controls of a firm
at the appropriate level. The level required may be strategic, process or activ-
ity, as shown in Figure 4.1. A strategic risk and control assessment will derive
its risks and controls from the business objectives of the firm and what will
prevent the firm from meeting its business objectives. Similarly, the risk and
control assessment carried out at the process level will have regard to processes
which a firm undertakes and the objectives of those processes. These may be
high-level processes, i.e. those carried out at the business unit level, or may
be lower-level processes carried out at a departmental level. Processes will
ultimately break down into many activities. The risk and control assessment
carried out at an activity level will therefore produce a significant number of
risks and controls.
Benefits to firms
There are many benefits to firms in carrying out risk and control assessments.
These range from a clearer understanding of the operational risks which the
business faces, through identifying risks which have insufficient controls, to
66
setting action plans to enhance existing controls and implement new controls.
A clear understanding of risks will also point to opportunities for profitable
risk-taking and business optimisation (see Chapter 2, The business case for
operational risk management).
In detail the benefits include:
OO a comprehensive understanding of the business’s operational risk profile
OO more accurate information regarding the level of risk to the business
OO identification of potential risk hotspots and control bottlenecks
OO a defined structure to risks and controls, which provides an effective and
consistent treatment of risks across the firm and consistent risk reporting
OO managing risks and mitigation as a ‘portfolio’ to help the business make
a clear link between risk and performance
OO increased acceptance of a risk culture in the business by assisting those
who are responsible for managing risk on a day-to-day basis
OO embedding risk management processes into the core processes of the
business
OO communicating the firm’s view of its risks and controls to existing staff
and new recruits
OO enabling risks associated with cross-functional processes to be managed
more effectively
OO a better response to issues within the business, as the risks are more
clearly understood
OO further assurance to the board that the statements in the annual report
are accurate
OO improved business continuity planning
OO documentation of risks and controls for use by external stakeholders such
as regulators.
Prerequisites
67
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
Business objectives
Risk and control assessments should start at a strategic level. It is therefore
necessary to have a list of the business’s strategic objectives so that the assess-
ment can be carried out in relation to the principal aims of the firm. Without
the business objectives to provide a focus, the risk and control assessment
will lack an appropriate level in which to place its risks. The result will be
a mixture of high-level, process and activity risks, which will give very little
business benefit, due to the heterogeneous nature of the risks (and therefore
68
the controls) and the lack of any clear connection with the business objectives
relevant to each level.
Basic components
Risk events
A risk event is an unchanging and distinct occurrence which may impact the
firm’s profit and loss account or its balance sheet. An event can have its origin
in a number of causes or triggers, which may vary through time. An event may
also generate different consequences or effects, which may also vary over time.
However, the event itself is immutable. A risk event is evaluated in terms of
the likelihood and the impact of a risk.
69
Risk owner
A risk owner has direct and explicit responsibility for the management of
the risk event. This will ultimately be a board member, but ownership will
be delegated down to an appropriate level and individual. Given that oper-
ational risk involves everybody in the firm, it could be said that everybody is
a ‘risk owner’. The identification of a specific risk owner ensures transparency
and clarity over the management of a risk. It also enables the firm to judge
its concentration exposure in terms of management responsibility for risks,
as risk owners generally own several risks. The firm should try hard therefore
to identify a single owner for each risk. However, for certain risks, composite
owners are unavoidable. These will include a number of strategic risks, which
the board will own as a whole.
Control
A control is the element within a process which has been developed to facili-
tate action to reduce or eliminate either the likelihood or impact of a risk
event. A control is evaluated in terms of its design and performance.
Control owner
An owner of a control is an individual with responsibility for executing a con-
trol procedure. Several controls can be owned by one individual.
Action plans
Action plans are created in response to a control that does not reduce the risk
to within the firm’s tolerance for that risk. They modify or add to existing con-
trols so that the risk is within the agreed appetite.
Risk register
A risk register lists all the risks identified by a firm by risk category and may
also be known as a risk inventory, a risk library or a risk list. Whilst it is useful
to have a full list of risks identified by the firm, it can be constraining in a risk
70
and control assessment, since participants tend to focus on the list rather than
on what might prevent the firm from achieving its strategic objectives or the
process from being carried out. Given that one of the purposes of a risk and
control assessment is to identify the risks, the existence of a risk register begs
the question as to how the risks in the register were identified and to what the
risks relate. If there is a risk register, put it to one side and start the risk and
control assessment from scratch. The register can be used later to check that no
significant risks have been forgotten.
Cause/trigger
A cause or trigger is something which precipitates a risk event. These are help-
ful in identifying risk events and in avoiding confusion between a cause and
an event. However, causes are more useful in assisting the identification of an
efficient action plan; the prevention of a cause will, by definition, prevent a
risk event.
Bear in mind, though, that causes of risk events change over time, so that
preventing a cause today will not necessarily prevent the same risk event from
occurring tomorrow from a different cause. Just as one cause can trigger many
risk events, so a risk event can be triggered by many causes.
Effect/consequence
A risk effect or consequence is an occurrence which is precipitated by a risk
event. These are often confused with risk events as they are the most obvi-
ous outcome of a risk event actually happening and are often easier to control
or manage than the event itself. The control of an effect can give immediate
short-term assurance to a risk owner, without having to undergo the more
intellectually rigorous and longer analysis of the risk which precipitated the
effect in the first place.
Indicators
Indicators show the movement in the likelihood or impact of a risk, in the
design or performance of a control, or in the performance of a firm in re-
lation to its objectives or processes. As such, existing key indicators are useful
in identifying the risks and controls on which the firm focuses. However, key
risk indicators and key control indicators are often mixed with key performance
indicators, so a first step is to sort the indicators (see Figure 6.2 and Chapter 6
in general). Although there will be business benefit in sorting indicators into
logical and consistent sets, this activity is likely to be outside the scope of a risk
and control assessment and will therefore generally be undertaken separately.
71
Losses
Losses are the monetary result of a risk event occurring. Losses are often col-
lected by firms, particularly in internal audit reports and reports to the audit
committee. When loss causal analysis is used, this can again be helpful in iden-
tifying the risks which have occurred and controls which have failed. However,
the risks will have been identified without any reference to the business objec-
tives or processes and are often couched as control failures relating to causes
or effects, rather than as risk events which resulted from the control failures.
Again, care must be taken and additional work will probably be required for
the analysis to be used in the risk and control assessment.
A firm’s losses will only give a historical view of the risk events to which it has
previously been subject. It is therefore important to understand that there will be
many more potential risk events than are identified by a loss causal analysis.
See also Chapter 5, Events and losses.
Link to objectives/processes/activities
A risk and control assessment must be related to a business objective or pro-
cedure and must not be performed in isolation. It should start, and often does, as
a strategic assessment linked to the business objectives, although assessments can
be carried out on processes, activities and projects. The explicit link with busi-
ness objectives gives the risk and control assessment a focus and enables risks to
be identified within a framework and therefore at an appropriate level. Without
such a link, it is difficult to relate the risks identified to a specific business area
and therefore difficult to identify and provide clear business benefit.
72
exercise at this high level, by using combinations of risk drivers and themes (see
Assessing risk later in this chapter). This is possible, but has little benefit either
to the business or to identifying a firm’s risk profile. You need to get down to
a granularity which yields business and operational risk benefit, but is not so
unwieldy as to provide overwhelming and ultimately meaningless detail.
A risk category is a set of similar risk events, for which there is benefit in
treating them as a group (see Table 1.1). This is obviously an advantage, but it
is important that they are identified after the risk and control assessment and
are not identified beforehand. The risk and control assessment will have been
linked to the business objectives, so that any linked risks will naturally emerge
from the risk and control exercise and be aligned to the objectives.
Frequency of identification
Identifying risks (and their accompanying mitigating controls) should be a
part of the firm’s day-to-day business life and processes. Risk identification is
a normal and natural part of being in business and should not be regarded as
something which is done only once every six months or whenever a full risk
assessment is performed.
Immutable
As noted above (in Risk events), a risk event is an unchanging and distinct
occurrence. Although the causes of an event may change (a building burning
down may be caused by different factors), the risk event itself does not change.
This enables a consistent analysis to be taken of the gross risk to the business.
It also enables the required controls to be viewed consistently for the same risk
across a firm, as the firm may develop an ideal set of controls for the risk event.
Comparability of the effectiveness of the controls for the same risk across a
global organisation is then possible.
73
Reputational damage
Reputational damage is generally a consequence of a risk event. As such, there
are strong arguments for not identifying it as a risk in its own right. However,
many firms view this risk as their most serious and would not give credibility
to a risk and control assessment which did not identify reputational damage as
a risk. It is therefore important to ensure that double counting does not take
place when using a risk and control assessment for quantification of operational
risk (see Chapter 8, Modelling).
There are a number of examples of reputation damage in Chapter 15,
Reputation risk. In the Perrier example, although the cost of withdrawing
millions of bottles was very high, the reputation damage to Perrier was even
higher. However, the reputational damage was a direct consequence of the risk
event of contamination of the water.
74
Examples
Practical examples of levels and their components
of form
Activity example: suspense account balance write-off
Cause: Lack of clarity of ownership of reconciliation process
Risk event: Suspense account balance write-off
Control: Procedures for regular reconciliation and reporting on reconciliation
accounts; follow-up actions on reconciling items
Impact:
OO Direct: loss of un-reconciled balance
75
Assessing risks
Gross/net/target
Risks can be assessed at several levels of mitigation. Gross (or inherent) risk is
assessed with no account taken of the controls which exist within a firm. The
only controls which are assumed at the gross level are inherent controls such
as people’s honesty and society’s willingness to obey the law. The advantage of
assessing risk at a gross level is that there are no assumptions about the qual-
ity or existence (or otherwise) of controls. It also identifies the level of loss to
which the firm is exposed if and when the existing controls fail.
Net (or residual) risk is assessed after allowing for the existing controls
within the firm. This means that there are assumptions about the adequacy
and continuing effectiveness of the controls. These assumptions are rarely
stated in net risk assessments. If they are stated, they become close to control
assessments. The object of this part of the exercise is to assess risks, not con-
trols. The level of loss arising from a net risk assessment is the day-to-day loss
which the firm suffers with the existing level of control.
Target risk is the name often given to the final level of expected risk appe-
tite which exists within a firm after all mitigating effects are at the firm’s
desired level. It is used to assess the impact (and sometimes the effectiveness)
of control enhancement plans.
If risks are assessed at a gross level, a control assessment can easily be linked
to the risk assessment. If risk is assessed net, the control assessment is already
implicit in the net risk assessment and the result will require reconciling back
to the explicit control assessment.
Frequency of assessment
How often risk and control assessments are carried out is dependent on each
firm’s circumstances. Many firms carry out quarterly risk and control assess-
ments, focusing on the risks and controls which have changed during the
quarter. These firms will often carry out an annual risk and control assessment
going back to the business objective or procedure which formed the basis for
the original assessment. Other firms carry out half-yearly assessments at a more
detailed level.
The best guide is to consider how frequently individual risks are likely to
change. That probably means that it is unlikely that a full risk and control
assessment will be performed on a monthly basis unless the risks are likely
to change that frequently. At the extreme, an assessment may be carried out
several times a day in a department responsible, say, for receiving retail firms’
monies and sending out contract notes or policies.
76
Likelihood/frequency/impact/severity
Once risks are identified, they are evaluated for likelihood (or frequency)
and impact (sometimes called severity). Likelihood is reviewed on the basis
of how frequently a risk event will occur over a given period (e.g. monthly,
three times a year, once in 50 years). Alternatively, many firms find it helpful
to think of the percentage likelihood of a risk occurring in one year. A more
detailed discussion on alternative likelihood terms and their possible weak-
nesses is given in connection with Table 9.1.
Impact is reviewed on the basis of the (possible) cost to the firm if the risk
event happens. Whilst the term severity is also used by some firms as being syn-
onymous with impact, the word may also be used as a single value for a risk
assessment, being a combination of likelihood and impact. This was more
common before separate likelihood and impact assessments became widely used.
Expected/unexpected
Risks can also be assessed using the terms expected or unexpected. This refers
both to the expected or unexpected likelihood and to the expected or unex-
pected impact. In practice, both levels give value to a firm. The expected level
will give a check on the usual effectiveness of the controls and therefore acts
as a check on the provisions or reserves which are made on a regular basis by a
firm. It is similar to the net risk level.
The unexpected level gives information about the amount of capital
required to withstand a financial shock to the firm from a risk event occurring.
This is similar to the gross risk level. The unexpected level is therefore used for
assessing economic and regulatory capital requirements.
77
Impact components
If the firm considers only direct losses, it significantly limits the business ben-
efits of risk and control assessment. By breaking down the impact into separate
components, such as financial, people, customer and other stakeholders, it can
be easier and more beneficial to assess indirect as well as direct losses.
78
Loss causal analysis (see Chapter 5, Events and losses) typically analyses
the components of the loss and can be used to ensure that the risk and control
assessment is consistent with the loss analysis and so delivers business value.
79
Heat maps
Heat maps give readily accessible and visual representation of the risk profile
of a firm. They are often the first risk report seen by the board and, as such,
must be positioned as the start of risk reporting and not the final risk report.
80
Residual Assessments
9 (3%)
Catastrophic
6 (2%)
Critical
4 (1%) 2 (0%)
Significant
Impact
60 (25%)
Important
Owners
Different levels
There can only be one ultimate owner of a risk and that person must be at
board level. However, the board director responsible for the risk may dele-
gate the management of the risk to another person who in turn may delegate
81
further. This can lead to confusion over who owns the risk. It is likely that
those to whom the risk is delegated only own a part of the risk for which the
board member is ultimately responsible. However, the risk and control assess-
ment process will decompose the risk down to each level – strategic, process,
activity. As a result, the person responsible for a particular process or activity
which contributes to the strategic goal of the firm for which the board member
is responsible will be clearly seen as the person who owns the risks inherent in
the process or activity.
It is often also the case that the CEO is nominated as the owner of most
of the risks when a board first considers its strategic risk profile. This must
be challenged. Board members should take responsibility for their own risks,
for example the sales and marketing director must take responsibility for risks
relating to sales and marketing, such as mis-selling.
Risk owners
Risk owners may exist at several levels, although there is only one ultimate
risk owner. The owner of the risk is responsible for measuring, monitoring
and mitigating the risk, at the relevant level, within the risk appetite set by
the board. The actual tasks of measuring, monitoring and mitigation are gen-
erally given to another member of staff. This does not reduce or remove the
risk owner’s responsibility for managing the risk, which is carried out through
receiving and actioning reports from the staff to whom the tasks have been
delegated.
Control owners
These are the people responsible for managing the mitigation of the risk
through the operation of internal controls. Control owners are vital both in
designing appropriate controls to mitigate the risk and in ensuring adequate
performance of the control in line with the board’s risk appetite. They are
responsible for identifying any action plans necessary to increase the effective-
ness of the control and are also responsible for implementing the action plans.
82
Identifying controls
Suitable level
Just as identifying a suitable level of risk can be a challenge, so too can iden-
tifying the appropriate level of control. However, as controls are typically
identified after risks, it is often easier to set control identification to the appro-
priate level. If the risk identification has been set, for example, at a business
objectives level, the controls which are identified should be at the same level.
It is very easy to identify controls at a departmental or activity level and
relate these to the business objectives of a firm. However, this should be
avoided as there will be a mismatch between the level of the risks and the level
of the controls. Additionally, it is important to identify and then score the
strategic controls which are in place to mitigate the risks to the business objec-
tives. If this is not undertaken a firm can be lulled into a false sense of security,
believing that its business risks are well controlled by a considerable number of
activity or departmental controls.
Independent controls
When identifying controls, we are seeking to identify the independent con-
trols which mitigate a risk. Although there is some point in identifying
linked controls, far more business benefit will be achieved through identify-
ing and scoring controls which are independent of each other. Controls which
are linked to each other, perhaps in a sequence, are only as good as the pre-
ceding control. This means that if the first control in the sequence fails, none
of the other controls gives any benefit in mitigating the relevant risk(s). It is
therefore vital that controls are checked to ensure that they are independent,
otherwise they become another source of false security.
An example of three typical independent controls are those which might
be considered to mitigate the risk of ‘Failure to attract, recruit and retain key
staff ’, as shown in Figure 4.6 later: ‘Salary surveys’, ‘Training and mentoring
schemes’ and ‘Retention packages for key staff ’. Linked controls within this
example may be ‘Salary increases’ and ‘Title changes’, both of which are linked
with ‘Salary surveys’.
83
Types of controls
Controls can be divided into four types: directive, preventative, detective and
corrective.
84
OO Directive controls provide a degree of direction for the firm and are typi-
cally policies, procedures or manuals.
OO Preventative controls act to prevent the risk or event from happen-
ing. They are often automated controls, such as guards round a piece of
machinery or system checks to prevent limits being exceeded.
OO Detective controls act after the risk or event has happened and identify
and mitigate the risk which has occurred. Typical detective controls
might be the sensors providing warnings of the safety around a piece
of machinery being compromised, or reconciliations and monitoring of
accounting entries.
OO Corrective controls again act after the risk event has happened and miti-
gate the effects of the event through remedial action. Typical corrective
controls are following-up on outstanding reconciliation items or other
risk reports and taking action following risk monitoring.
It is helpful to differentiate the controls identified into their various types (see
also Chapter 6, Indicators, for a further use of these four types of controls).
This enables the firm to assess whether it has a balance of the different types
of controls or whether it has a number of, for example, detective and corrective
controls but lacks directive and preventative controls. With this imbalance, a
firm will be unlikely to prevent a risk from occurring, but may be well-placed
to minimise the impact of a risk when it does occur. An example of such a risk
would be an external event beyond the firm’s management influence, such as
flooding or a terrorist attack.
85
Prevent
controls Gross/inherent
High
risk
Med-high
controls
Detect
Impact
Med-low
Net/residual
risk
Low
86
OO The use of two directions to assess a control mirrors the two dimensions
(likelihood and impact) used to assess a risk. This facilitates a com-
parison of the strength of the controls compared with the risk that the
controls are mitigating.
Use of losses
Loss causal analysis is extremely useful in providing objective knowledge of the
probable failure of controls, particularly due to poor performance. Even with-
out comprehensive data it is still possible to use losses as a guide to the likely
scoring of a control. For example, a control is unlikely to be scored as having a
good performance if a number of losses have occurred recently due to its fail-
ure. Conversely, no losses occurring in recent times may be an indication of
good performance – or simply of good luck.
87
Action plans
88
Owner(s) of
the control
of the risk
Owner(s)
ID Risks I L S Controls D P E
89
will typically be the risk owner if the action plan is for a new control or the con-
trol owner if the action plan is to enhance an existing control. The owner should
be notified in writing that an action plan has been raised against their name. A
target date should be agreed with the owner and noted in the action plan. Any
delay to the date should also be noted with the reason for the delay.
If the action is significant, and will take a considerable time to complete,
then a cost–benefit analysis may be appropriate. Part of this analysis may be
a consideration of the firm’s risk appetite in comparison to the new resultant
net risk and may involve mathematical modelling of the existing and proposed
risk profiles.
90
the risks and debating the impact and likelihood of each risk. This will
often be the first time that the team, as a whole, has considered the risks
and controls to the area. The workshop can be used as an effective team
building mechanism enabling all attendees to function more coherently
in the future due to a shared assessment of the risks and controls. The
two major disadvantages of a workshop are the required coordination
of diaries to allow all members of the team to attend and the combined
time required from the team. Workshops also need to be ably facilitated
to make sure that participants have an equal voice and are not dominated
by the behaviour or seniority of one of their members.
OO Interviews are far more efficient in the use of time required initially
as each person is usually able to identify and assess the relevant risks
quickly. However, a second round of interviews is often required in order
to share the combined risk assessment with each participant. This can
quickly degenerate into a considerable number of rounds of interviews
unless the process is well managed. There is also relatively little team
building when interviews are used.
OO Questionnaires can be particularly useful when the team relating to the
area to be assessed is widespread. For example, if an international busi-
ness is being assessed, it may require team members to travel from many
different locations if the assessment is by workshop. However, question-
naire responses are difficult to collate if a questionnaire is an open one.
Conversely, the responses can be too narrow and insufficiently illuminat-
ing for senior management if the questions are too closed.
One important thing to remember about all of these is their susceptibility
to various forms of bias, either in the questions being asked, the experi-
ence of the participants, the relevant seniorities of participants or simply
the way in which they are conducted. Similar issues arise with scenarios and
the topic of behavioural bias is covered in more detail in Chapter 9, Stress
tests and scenarios.
Follow-up
A risk and control assessment workshop, interview or questionnaire invariably
requires follow-up work. This will typically be in relation to further control
investigation and testing. Additionally, risk and control assessment partici-
pants need further time to consider the scores to be assigned to controls, and
sometimes to risks as well. Action plans are another common area requiring
follow-up after a risk and control assessment.
Validation of the identified risks and controls (and their scores) can also be
obtained by follow-up discussions with peer group members and with internal
audit (see also Use of losses to back-test impacts and likelihood above).
91
Control effectiveness
Once controls have been identified and scored, it is possible to assess their
effectiveness in mitigating the risk. Control scores can be directly compared
with risk scores although many organisations use pictorial representations such
as heat maps (see Figure 4.4) and spidergrams (see Figure 3.10).
Link to provisions/budgets
The expected level of risk impact, i.e. the net or residual level after controls,
can be linked to management provisions and budgets as this is the ‘accepted’
level of loss from a risk and will therefore be taken into account when calcu-
lating internal management figures. This level of impact can be regarded as
the cost of doing business. Where there is little or no link between manage-
ment budgets for expected loss figures and the figure indicated as the residual
impact on a risk assessment, management should be challenged on the validity
of the budget or the residual impact or both.
92
Internal audit
The production of risk and control assessments is of great use to internal audit.
A risk assessment identifies areas where management feels much of the con-
trols are perfectly adequate and areas where management believe that the
controls require enhancement. Internal audit based on perceived adequate
controls can be extremely helpful. If it is confirmed that controls are indeed
adequate, remedial action can be focused elsewhere. However, if the internal
audit finds that controls are not operating as intended and as believed, the
need for remedial action is clear.
Summary
Risk and control assessments are probably the first step in establishing an
operational risk management process. The concepts of impact and likelihood
assessments are readily grasped and they can deliver quick business benefit to
the risk owners in the business as well as those in either an oversight or inde-
pendent assurance role.
93
94
Introduction
What is meant by an event
Data attributes
Who reports the data?
Reporting threshold
Use of events
External loss databases
Using major events
Timeliness of data
Summary
95
Introduction
Events and losses are a fundamental part of operational risk management. They
are a clear and explicit signal that an operational risk has occurred. This may
be due to the failure of a control, the lack of a control or simply a very unusual
event that was not foreseen.
As shown in Figure 5.1, events are one of the three fundamental processes of
operational risk management. They provide valuable objective challenge to the
subjective nature of risk and control assessments. They are also often used as
indicators of risks and controls, as we shall see in Chapter 6, Indicators.
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
OO a direct soft event is the loss of sales that were unable to be concluded
– although this is difficult to quantify, it is a direct consequence of
the event
OO an indirect soft event is less growth achieved by the firm than it had
budgeted – this is also difficult to quantify, although it is still a conse-
quence of the event.
Near misses
Events can also be categorised into actual losses or near misses. An actual loss
is easy to describe in that it is a debit to the profit and loss account of the firm
or the reduction of the value of an asset held by the firm.
There are at least two different definitions of a near miss:
Clearly, in the first definition, there is no actual loss because the risk has not
occurred. However, valuable information can be captured by identifying and
analysing even this sort of event, since one or more controls have failed in order
for a near miss to have occurred.
In the second definition, either a positive or a negative value is attached to
the event (a gain or a loss), or there is no financial impact at all, although there
may be some non-financial impact. Some firms which adopt the first definition
as a near miss characterise the second definition as an incident, to differentiate
it from an event which has a negative financial impact. Again, there is sig-
nificant operational risk management information: preventative controls have
failed (or they did not exist) and need to be analysed, whilst the detective and
corrective controls may have worked; or the firm may have been very fortunate.
As an example, a brick falls from the top of a building on a building site, but
nobody is hit or hurt.
Near misses are therefore invaluable for challenging risk and control
assessment scores. They are particularly helpful in assessing the performance
of controls. If there have been a number of near misses relating to a specific
preventative control, the current score of that control should be questioned,
especially if its performance is assessed as good or even very good.
97
Lost data
One of the great problems with operational risk is that it depends on the com-
prehensive reporting of events and losses, near misses and gains in order to
build up as accurate a picture as possible of the scale of operational risk in the
firm, or whether controls are effective. However, events and losses are rarely
reported fully. Actual losses are the best reported, although even these are fre-
quently incomplete. As noted above, near misses are less frequently reported
and gains are rarely reported at all. Considerable amounts of information are
therefore in danger of being lost.
One way some firms have successfully tackled the problem of lost data is by
making the operational risk function responsible for the insurances of the firm.
The head of operational risk (in conjunction with the CFO) then assures the
business line heads that any potential loss which is reported to operational risk
98
within 12 hours of first being identified will not be charged to the business line
profit and loss, even if it ultimately results in an actual loss. This approach:
OO encourages more complete reporting of events and losses
OO encourages earlier reporting of events and losses
OO encourages near miss reporting, as events are reported before they
become losses
OO does not disadvantage the firm, as losses simply move from one account
centre to another (business line to risk management)
OO results in the insurance buyers in the firm being more fully informed.
Data attributes
Given the valuable business uses to which events and losses – and gains – can
be put (see later, Use of events), the next step in the process is to decide what
information should be gathered about the events and losses. The information
collected will vary from firm to firm, but there is a minimum set of data attri-
butes which is collected:
OO name of the firm in which the event occurred
OO geographical location of the event
OO business activity
OO loss event type, down to a detailed level
OO the event start date, discovery date (and end date, if the event has finished)
OO description of the event
OO causes of the event
OO amount of loss and recovery components
OO management actions taken.
Name of firm
This may seem obvious, but in a group of companies more than one firm
may be involved. Often both the name of the organisation in which the event
occurred and the name of the organisation in which the event is detected are
recorded as both of these are important from a risk management and control
improvement perspective. Additionally, data may be held relating to the firm
which will suffer any loss, as this may be different from the firm in which the
event occurred and the firm which detected the event. This can happen, partic-
ularly in a group, where the firm in which a transaction is booked is different
from the firm in which the transaction is originally undertaken and again dif-
ferent from the firm processing the transaction.
99
Geographic location
Recording where an event happens is important from an operational risk man-
agement perspective. There may be control weaknesses which are inherent in a
particular location (perhaps due to ethnic culture) or, alternatively, which indi-
cate a better or worse control culture, as compared with other locations. Either
way, it is vital to understand each area’s control ability so that decisions on
improving controls can be taken based on knowledge, rather than take a blan-
ket approach, possibly based on guesswork.
Business activity
Identifying the particular business activity or product line is useful, especially
in a group where business units in different companies may be involved in
the same activity or in selling similar products. It helps to achieve consistent
reporting, both within the group and if external reporting is necessary, perhaps
to a government body or regulator, although it is not often that the taxonomy
of external reports conform to internal ones. Recording the business activity
can also identify units where controls which are operated across a particular
activity have failed, or appear to have been particularly successful, and point to
improvements which will benefit the whole group.
An example of business activities used by an industry is the table of busi-
ness lines set by the Basel Committee in its Revised Framework issued in June
2004 (see Table 5.1). These are focused on profit centres (as given by the name
‘business lines’). But cost centres are just as valid. Significant operational risk
events can occur in, for example, HR, the legal division, IT or even the CEO’s
office. In fact some of the biggest risks lie at the door of the CEO’s office.
Examples range from unguarded statements (Ratner) to outright fraud (Enron
and Maxwell).
Firms should, of course, draw up their own schedules of business lines or
activities. The list given in Table 5.1 is bank-related. In banking, all banks can
draw up their own lists, but have to be able to map them to the ‘Basel’ busi-
ness lines. Whilst a common taxonomy may help regulators to compare firms
and jurisdictions, there is a danger that firms simply adopt the regulators’ tax-
onomy, without really thinking about what is useful for their business.
The Basel business lines are, in fact, often fairly meaningless even to many
financial services firms as there are relatively few firms which span a significant
number of business lines. Firms which cover only one or two business lines,
such as for example asset managers, are far more likely to analyse the loss data
at a detailed level which is relevant to them. They may prefer to categorise loss
data by fund type or by each fund. It is common for the trustees of a fund to
require notification from the manager of losses which have been suffered by the
fund above a certain level, either an absolute monetary amount or a specified
percentage of the fund assets under management.
100
Advisory services
Treasury
101
Dates
It might be thought that the date of an event or loss is a fairly simple piece of
data to record. However, it can be difficult, particularly if the event occurred
several months before detection. Often the only clear date is when the event is
discovered. Some events occur over a period of time, in which case it is help-
ful to record the start and end dates. On the other hand, when an event is first
reported, it is often ongoing and it may be a number of months before it is
closed and the loss established.
Where the ‘event’ is in fact a number of separate events linked by a single
cause, such as the unauthorised trading undertaken by Nick Leeson at Barings
and Jérôme Kerviel at Société Générale, a single date may be inappropriate and
102
Source: Adapted from Basel Committee on Banking Supervision, International Convergence of Capital Measurements and
Capital Standards: A Revised Framework, June 2004, Annex 7
a period may work better. In that case, though, it is important to consider the
effect on estimates of likelihood, since dates are fundamental to this. In oper-
ational risk assessments, even dates are not as simple as they seem.
Description
At a minimum, a brief description of the event should be given. However,
some firms require event descriptions which can run to a page or more. Whilst
it is helpful to have all the information recorded, this may work against the
speedy and timely reporting of events – or even their being reported at all. A
well-run firm may have an absolute requirement for a brief description within,
say, 24 hours of the event being detected, followed by a more detailed descrip-
tion when sufficient information is available.
103
Causes
Cause lies at the heart of operational risk management. It is not enough to
know that an event occurred or nearly occurred. It is essential to understand
why, so that remedial action can be taken. Reporting events and not causes
means that they can be counted, but not managed. The cause of an event
should form part of the detailed description of an event, although it is more
helpful to report it separately. There is a danger, if cause, event and effect are
not separately identified, for the loss event type (of the types shown in Table
5.2) to be used as a proxy for causal analysis. There is relatively little loss of
business benefit by doing so if the point of the exercise is to provide a consis-
tent basis for assessing risk. But the point is often ignored.
There are certainly benefits to be gained through a more accurate descrip-
tion of the cause of an event and allocating causes to generic causal categories.
But the most important information in reports of loss events is to identify the
controls which have failed. At least a primary control failure should be identi-
fied, although firms should identify secondary control failures as well. A single
event is often the result of a number of control failures. Careful causal analysis
will identify priorities to enhance or improve controls.
Since a single cause can trigger a number of different risk events, linked
risks can also be identified by recording causes, as well as any risk indicators
which relate to the event. This will enable a holistic analysis of events to be
easily undertaken, which will link together the three fundamental operational
risk management processes of risk and control assessments, indicators and
event causal analysis.
104
which can occur if the amount of loss from an event is regularly recalculated
according to prevailing exchange rates, the simplest practice is to rely on the
exchange rate obtaining when the event is first reported. As rates fluctuate,
that could, of course, mask the materiality of a particular event, but it has the
merit of consistency.
One final issue is where a number of events, possibly relatively small in
value, are linked by a single cause, but in aggregate amount to a significant
figure. Let us return to the unauthorised trading losses incurred by Barings
and Société Générale, through the activities of Nick Leeson and Jérôme
Kerviel, totalling as they did US$1bn and €5bn respectively. Did each false
trade reflect the failure of a particular – or possibly the same – control, or were
they the result of a general cause, ‘unauthorised, or fictitious, trading’ by the
individuals concerned. Do you choose one aggregate amount, which is way
down the tail of your losses – how the events are often portrayed publicly –
or record each of the much smaller events, representing the individual control
failures which occurred?
The answer depends on your identification of control failures, or combin-
ations of control failures, but your decision will have a significant effect on
your risk modelling. It may also affect any insurance recovery. Does each event
fall below the policy deductible, and so is excluded, or is the aggregate sum
the amount covered? That obviously depends on the policy wording, but in the
end it goes back to the cause of loss.
Actions
The actions recorded can be divided into two types: immediate actions and
correct or improve actions. For example, when a laptop is lost, an immediate
action will be to disable the laptop’s access to the firm’s network. This is typ-
ical of an immediate reaction to the detection of an event. Following causal
analysis of the event, correct or improve actions may be:
OO a staff note reminding staff to lock all laptops in the boot of their car
when transporting them
OO a redrafted policy regarding to whom laptops will be issued
OO the purchase of encryption software to be installed on all laptops used
within the firm.
There is a clear difference between the two types of actions: immediate damage
limitation, followed by considered further action at amending and reinforcing
controls or the implementation of additional controls.
105
Additional information
It is helpful to allocate an owner to the loss so that there is clear responsibility
for achieving the actions necessary to ensure that the event does not happen to
the firm again.
Where a transaction or trade is involved, the unique transaction or trade
number is recorded, together with any relevant client details. This is, of course,
important if the event has a loss attached to it which may be passed back to
the client.
Internal and external notifications may also be necessary: internally to the
firm’s compliance, fraud or health and safety department, for instance; or ex-
ternally, to a regulator or government authority, depending on the type of
event that has occurred. And, of course, operational risk management must be
notified if they are not already aware.
All of these various elements come together in the type of loss reporting
form shown in Figure 5.2.
106
Reporting threshold
The reporting threshold, the level down to which a firm seeks to capture oper-
ational risk events, is a cost–benefit decision. The Basel Committee has set a
threshold of e10,000 for loss reporting by banks. It is interesting that, in a
recent survey of over 100 banks from around the world, most had a thresh-
old of e5000 or below.2 A number of firms, including banks, have a policy to
report all losses, no matter what size.
The operational risk management departments of many firms which have
set a size limit generally monitor losses down to a lower level, since sev-
eral smaller losses can add up to one larger loss which is above the reporting
threshold. In this way continual small control failures are captured before they
turn into a significant value. Weak signals can often demand strong action.
Many firms believe that capturing small losses costs more than the benefit
achieved. However, a reporting threshold above zero will prevent a significant
107
Use of events
Causal analysis of events is critical for effective operational risk management.
The analysis can be used to challenge risk assessments and control assessments,
to validate indicators and to assist in the production of scenarios and stress
tests. Additionally, losses can be used in mathematical modelling for economic
capital allocation and for regulatory capital calculation.
108
Indicators
Events and losses can also be used to validate indicators. If an indicator shows that
a control is starting to fail or that a risk is more likely to happen, some events
will be expected to occur. If the events do not occur, the indicator must be chal-
lenged in case it is not as relevant to the risk as was originally thought. It should
be borne in mind that a failure of one control will not necessarily cause a risk to
occur, as other preventative controls may be in place and working. Whether or
not this is the case can easily be seen from the risk and control assessment.
Equally, events and losses can be used to validate indicators of detective con-
trols. In a similar way to the validation of preventative controls, the size of the
events and losses is a guide to how well the detective control indicators are
109
Publicly available
Low frequency,
high impact
110
GOLD loss database, which started in 2000.3� Consortium databases are a good
example of the art of the possible. They often comprise only hard, direct losses,
rather than indirect loss amounts, because that increases consistency and elimi-
nates internal subjective assessments, including information which may be
price sensitive. But they provide valuable additional events, especially towards
the tail of the loss curve.
This type of data is inevitably of a similar type to a firm’s own loss data in
that it ranges from high frequency/low impact to medium frequency/medium
impact events. As such, it provides valuable validation and confirmation of
a firm’s own loss data. In addition, it can provide an early warning of losses
which have occurred to a competitor but are not yet occurring to your firm.
Given this warning, a firm is able to reassess its own controls in relation to
the risks being suffered by its peers and possibly reduce or even eliminate the
approaching losses relating to those risks.
A different type of loss database captures publicly available loss and event
data. These events are typically reported on the internet or in the media and
are of such a size or consequence that they are impossible to hide. Such data
are, by their nature, relatively rare, although they are the most valuable source
of data as losses of this size will rarely appear in a firm’s own data but are of a
size which could cause a firm to collapse. You can collect the data yourself, or
save some of the effort by subscribing to a firm offering that service and which
may be able to investigate further and provide a more objective analysis than
the information given in the press.
Finally, government agencies, such as the Health and Safety Executive, or
industry bodies, provide industry-wide information on events. As with all the
other external information, this is useful in helping firms to benchmark their
own performance and the quality of their controls.
Data completeness
The completeness of data in an external loss database is a major challenge to
anyone using the data for causal analysis. In a database consisting of competi-
tors’ internal losses, it is worth bearing in mind that the quality of reporting
111
Data consistency
A linked problem is the quality and consistency of the data. Even if the data
approaches completeness (which is highly unlikely), it is important that the
data is of good quality. It is inevitable that the quality of the data will vary by
consortium member with some members contributing the minimum required
and others giving significant amounts of information. It is not uncommon for
a significant percentage of data initially submitted to the data consolidator to
be returned to consortium members because the data requires cleaning or fur-
ther enhancement before it can be used by the consortium.
In a loss database recording public losses, knowledge of the control en-
vironment relating to each loss is very variable. This inevitably leads to a
problematic quality of data, when using it for causal analysis or modelling pur-
poses, as data consistency is vital to a meaningful analysis of either causes or
capital assessments. Public information is also unlikely to tell the whole causal
story, if only for good competitive or reputational reasons.
Scaling
One of the most significant problems with external loss data is how to scale
the loss with respect to another firm. For example, the Barings loss was in
the order of US$1bn. Barings was a well respected City of London bank with
a strong pedigree, although not large by international standards. It had a
number of offices (although, again, not a large number) around the world and
dealt in a wide variety of financial instruments. How should Deutsche Bank
consider the loss that Barings suffered? Clearly, Deutsche Bank is a much
112
larger bank than Barings and so could possibly suffer a much larger loss. But
how much larger? What multiplier should Deutsche Bank use? Should it
be based on the comparative number of staff, gross revenues, profitability or
something else which is in the public domain?
On the other hand, Deutsche Bank has more resources to hand, as it is a very
much larger bank. Maybe the loss that it could suffer from poor segregation of
duties should be smaller than US$1bn. After all, segregation of duties is a fun-
damental control that is an absolute requirement for the boards of many firms
whatever the industry. Additionally, large banks’ operational risk controls are
generally perceived to be better than those of smaller banks, notwithstand-
ing the large operational losses suffered by a number of large banks over the
years. In which case, how much smaller? Possibly an inverse of the ratio of the
number of staff, gross revenues or profitability?
A pragmatic approach is to scale each loss with respect to the particular fac-
tors that influenced the loss, if these are known. For the Barings loss, a firm
might first take into account the number of its branches which are small
enough to have a segregation of duties problem. This is because, in a small
unit, it is often impossible for complete segregation of duties; they tend to be
concentrated in the unit manager as there is no-one else who has the experience
and authority to carry out supervisory controls. Having established the number
of relevant branches, a further analysis is then made of the types of products
handled in those branches and their value. By combining the two factors, it is
possible to assess the likely effect of a similar incident on the firm concerned.
Using this method demands little detailed research about the precise size
or financials of the loss suffering firm, information which will probably be
historic and of little relevance. It avoids using probably spurious correlations
between firms by simple numeric multipliers of sales turnover or staff. It also
has the advantage that changes to the risk environment of the firm, such as
more or less small branches in the future or changes in the product range, will
naturally be reflected in the value of the potential risk impact. It doesn’t even
require knowledge of the precise amount lost by Barings. You only need to
know that the risk event happened and apply this knowledge to the firm’s
risk and control profile, from which a value is easily deduced. Go back to the
causes, not the numbers.
The main disadvantage of the pragmatic approach is that you need to exam-
ine each loss in order to determine what the relevant risk factors are. However,
the relevance of the result far outweighs the time required for this additional
work, which will be required anyway if several high level factors are captured
for each loss such as number of staff, gross revenues and profitability. Such an
examination is required only once for each loss and then additionally for new
losses as they are captured.
113
Timeliness of data
Event data degrades over time as the acceptable level of control environments
and people’s perceptions of control environments change. For example, as IT
environments change, manual controls will also change. Automated controls
are also frequently updated as software improves. So, any analysis of loss event
data must be careful to take the current environment into account.
Summary
Events, being what has actually happened, are probably the only hard facts we
have in operational risk to make judgements about the future. However, as we
have seen, the information we gain from them comes with a number of health
warnings. The data will never be complete. As events occur, they inevitably
affect behaviour, whether individual or corporate, which means that even if
we have captured information comprehensively and accurately, its usefulness
degrades over time.
The information gained from events validates and supports risk and control
assessments, the levels of indicators and scenarios, and is fundamental to assess-
ing capital requirements. But we should be careful that it does not bear too
great a load of expectation.
Notes
1 Andrew Hughes, Failure to learn (Sydney: CCH Australia Limited), 2009.
2 Basel Committee on Banking Supervision, Loss Data Collection Exercise, 2008.
www.bis.org.
3 See www.bba.org.uk/content/1/c4/65/05/GOLD_Brochure.pdf.
114
Introduction
Key performance indicators and key risk indicators
Establishing KRIs and KCIs
Targets and thresholds
Periodicity
Identifying the leading and lagging indicators
Action plans
Dashboards
Summary
115
Introduction
Key risk indicators (KRIs) are a fundamental part of any comprehensive oper-
ational risk management framework and yet many firms seem to be puzzled
and confused by them. The confusion may be less if they are called IRKs
(indicators of risks which are key) or IKRs (indicators of key risks). They are
definitely not ‘key’ risk indicators as this leads to far too many indicators.
Many firms have identified several hundred indicators and are trying to
manage their businesses by using this number of key risk indicators. However,
it is highly questionable as to whether any business can truly have or indeed
manage that number of indicators of key risks – or have the number of key
risks which will give rise to several hundred indicators.
Other firms have striven for a very small number of indicators which will
tell them about the well-being of the firm overall. This approach brings to
mind a doctor trying to assess the complete state of your health only by taking
your blood pressure, your pulse and listening to your heart. Clearly a good
place to start, but definitely not to finish.
As can be seen in Figure 6.1 indicators are one of the three fundamental
processes of operational risk management. Indicators of risks which are key
can provide vital early warning signs to enable threats to the business and its
objectives to be managed before they happen. Such indicators are typically
called leading or predictive indicators. They give the current risk and control
levels, as opposed to historic or future values.
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
116
As indicators give today’s levels of risk, they also enable trends in risks and
their associated controls to be investigated and analysed. This trend analysis
can help to predict events before they happen. It can also signal that escalation
criteria have been breached and so trigger management action.
K Risk I
Change in
likelihood or impact,
linked to RCA
Change in Change in
business performance, design or performance,
linked business objectives linked to RCA
KPIs are about the performance of the business and are typically linked
directly to the business objectives. Examples of KPIs are: sales, revenues, prof-
itability, total costs, staff costs, premises costs and IT costs. Some, though,
can also act as KRIs. Examples could be: market penetration (risk: poor distri-
bution network), or board and senior management turnover (risk: loss of key
staff). By comparison, KRIs tell us about changes in the likelihood or impact
of a key risk and can be linked to a risk and control assessment.
Figure 6.2 shows how KPIs and KRIs relate to each other and also how they
relate to a third set of key indicators, key control indicators (KCIs). KCIs tell
117
us about the change in the design or performance of controls and again can be
linked to a risk and control assessment. KCIs fall into two categories: indi-
cators of those controls which mitigate individual key risks and indicators of
those controls which mitigate a number of risks.
Approaches to identification
Management support is essential for establishing indicators of risks which are
key. There are various approaches to identifying indicators of key risks and key
controls. Some of these are more likely than others to attract management sup-
port and drive.
They are:
OO using a blank sheet of paper
OO using existing management information
OO using an existing risk and control assessment.
119
Owner(s) of
the control
of the risk
Owner(s)
ID Risks I L S Controls D P E
120
Risk Indicators
L = Likelihood
Risks I = Impact Controls Control Indicators
1 Failure to attract, recruit L: Staff turnover (annualized) –Salary surveys Employer salary survey ranking
and retain key staff
L: Offer/acceptance ratio –Training and mentoring Training costs
(percentage) schemes
L: Employer survey ranking –Retention packages for key staff Staff turnover
I: Client complaints (per week)
I: Error rates (per week)
2 Financial advisors L: Time spent on each client –Staff training No. of staff attending the
misinterpreted/fail to training courses
understand the
I: No. of complaints –Learning gained from previous
complexity of “equity
(per month) deals
release” products
–Review of individual needs in No. of staff queries
performance appraisal process
3 Poor staff L: No. of general meetings/ –Defined communication No. of internal newsletters
communication newsletters (per month) channels published
I: Staff morale (survey) –Documented procedures and No. of access to intranet pages
processes where documented procedures
and process are displayed
4 Failure to understand L: No. of front office queries to –FSA registration No. of FSA visits
the law and/or compliance office (per month)
regulations
I: No. breaching the law –Regular updates from various No. of newsletters published
(per month) sources from compliance department
–External training courses No. of newsletters published
by the staff after attending
training courses
5 Poor detection of L: Refer to controls –Anti-Money Laundering annual No. of people NOT attending
money laundering training Anti-Money Laundering course
I: No. of times money is –Circulation of British Bankers’ No. of circulars distributed
laundered (per year) Association awareness circulars compared to number of
circulars received
–Know Your Customer No. of potential clients rejected
due to Know Your Customer
121
In the example shown in Figure 6.5 a mean target has been set of 5 with
a green band of 4 to 6. The indicator has bands on both sides with an amber
band of 3 or 2 on the lower side and a value of 7 on the upper side. These
bands represent a breach of risk appetite. 1 or below is in the lower red band
and 8 or above is in the upper red band. At this level there has been a sig-
nificant breach of risk appetite. This is an example of an indicator which is
bounded on both sides and which has uneven bands.
It is also common for indicators to have one-sided bands, for example a
green band of 0 and 1, an amber band of 2 or 3, and a red band of 4 and above.
Indicators can also be binary, that is they move directly from a green band to
a red band. An example of this type of indicator might be the number of fatal-
ities on a construction site where the contractor will have a green level of 0 and
a red level of 1 or more.
Clearly these bands should be linked to the appetite of a firm. For example,
for the key risk ‘Loss of key staff ’ an indicator may be ‘Key staff turnover’ and
the bands agreed as in Figure 6.6.
Figure 6.6 Thresholds for ‘Loss of key staff’ risk and risk appetite for key staff turnover
122
A firm may be willing to accept a key staff turnover of between 10% and
15%. The management of key staff turnover at this level may be delegated to
the relevant head of business. This level is considered to be normal and accept-
able for the business.
Key staff turnover between 5% and 9% and between 16% and 20% may be
regarded by the business as inconvenient and, for the upper range, expensive
but nevertheless tolerable. These levels of key staff turnover may be notified
to an appropriate senior manager or group, such as the risk committee, so that
action can be taken to bring key staff turnover back to the green band, if this is
considered appropriate.
Key staff turnover over 20% may be regarded as too expensive for the busi-
ness, both in terms of loss of corporate knowledge and of recruitment costs.
It will probably also result in disruption to the business and mean that some
months go by before stability and cohesion is restored to senior management.
Key staff turnover under 5%, though, may also be considered to be a ‘red’ indi-
cator, as being at too low a level for the business, since fresh ideas and new
approaches are often brought in by new key staff. Low key staff turnover can
also be a reflection of a senior management cadre which is relatively overpaid
and complacent. These levels of key staff turnover would probably be notified
to the board as well as the risk committee.
Periodicity
Indicators can be tracked over various lengths of time (e.g. daily, weekly,
monthly or annually). Most typically, risk indicators are recorded on a monthly
basis although indicators of risks which are at a transaction level are often daily
or even intra-day. The periodicity of an indicator is largely irrelevant to using it
for managing a risk. Much more important is how frequently the risk changes.
An indicator linking a risk to a daily process or activity clearly requires
recording on a daily basis, for example an indicator which records whether
or not daily reconciliations of a bank account have been completed. Equally,
123
124
operating before and after the event has occurred (see Identifying controls in
Chapter 4, Risk and control assessment).
Action plans
Collecting and monitoring indicators is of no use unless action is subsequently
taken. A firm will clearly wish to take action if a leading indicator shows that
the risk is more likely to occur. Action plans raised by indicators will be simi-
lar to other management action plans in that they will include the objective to
be achieved through completion of the action plan, the expected date of com-
pletion, the owner of the action plan and other typical items. However, there
will also be reference to the control which is failing (if applicable), the risk
which has been identified as more likely to occur and the possible impact to
the firm if the risk does occur. These points, which are linked explicitly to an
indicator, will be helpful in preparing a cost–benefit analysis for the action plan.
Dashboards
Indicators are commonly reported on dashboards, an example of which is given
in Figure 6.7.
As can be seen, a Red (R)/Amber (A)/Green (G) status column is very
common together with a trend indicator. These two columns provide a quick
view and guide the dashboard user as to which indicators to focus on first. It is
also common to record the most recent three periods and to have an average of
the most recent three in order to smooth the volatilities in the indicators.
125
In Figure 6.7, the ‘Overtime hours’ has a ‘red’ status and is of concern
because of its actual level, although it is at least trending down. ‘Complaints
received’ requires attention because, although it is at ‘amber’, it has doubled in
this period. Additionally, although the ‘Temporary staff’ percentage is trend-
ing down, the change from the last period is relatively small.
Combinations of indicators can also tell stories. For example although the
risk of ‘Accounts not KYC (Know Your Customer) compliant’ is stable and
within the green band, the number of customers has increased significantly in
this period whilst the ‘Overtime hours’ and ‘Temporary staff’ percentage are
both trending down. These last two indicators may be indicators of how well
the control of ‘Operations KYC review’ is performing in mitigating the risk
of ‘Accounts not KYC compliant’. This leads to the conclusion that ‘Overtime
hours’ and ‘Temporary staff’ are likely to be leading indicators for the risk of
‘Accounts not KYC compliant’.
Summary
Indicators are valuable not only in monitoring business performance, but in
identifying changes in a firm’s risk environment and in the effectiveness of risk
controls. They are a fundamental part of the operational risk management pro-
cess and an essential part of monitoring operational risk appetite.
The important thing to remember is that a KRI is an indicator of a key
risk and a KCI an indicator of a control which relates to a key risk. If that is
understood, the number of indicators will be manageable and the business will
see them as valuable, thus helping to achieve buy-in for the whole operational
risk management process. Another tip to encourage buy-in is to use, as far as
possible, indicators which are already being used by the business. Inventing
new ones, or failing to involve the business in identifying and establishing
indicators, will be counter-productive and a waste of energy and goodwill.
Having considered the three fundamental processes of operational risk man-
agement, it is now time to ‘advance the framework’ and look at various aspects
of modelling and reporting operational risk data.
126
advancing the
3
framework
7. Reporting
8. Modelling
9. Stress tests and scenarios
Introduction
Common issues
Basic principles
Report definition
Reporting styles and techniques
Dashboard reporting
Summary
129
Introduction
There is little value in carrying out the processes in your operational risk
framework without good reporting. Informed decision making flows from
good operational risk reporting. Without it, poor decisions are far more likely
or, even worse, result in no decision making at all. It can be only too easy to
drown in operational risk data, and so be unable to produce information and
reports which support effective action plans to improve or protect your oper-
ational risk profile.
Good operational risk reporting is more difficult than it looks. With the wide-
spread use of Excel everyone thinks that they can write good reports. However,
little consideration is given to the fact that operational risk information is often
complex and presenting it to a broad and diverse audience is not easy.
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
Common issues
and detailed information on a particular area. Indeed, such a request shows that
the board is fully involved in the operational risk management of the firm and
has read and digested the regular summary exception reports.
A CEO or head of business unit is unlikely to be interested in the detailed
activity level risks referred to in Chapter 4, Risk and control assessment.
Equally, the supervisor of a unit within a department will have little interest
in business level or process level risks. For an operational risk report to be of
use, it must capture and report on risks, controls, indicators and losses which
are pitched at the level of detail for the recipients of the report. Data must
therefore be in a form in which it can be tailored and presented to answer the
needs of a variety of audiences at any point in time.
131
Basic principles
132
practical use has disappeared, if there was one in the first place. The pointer
to action can be explicit, as in a key indicator report showing that an indicator
is in the red band (see Chapter 6, Indicators), or implicit, as in a report show-
ing the risk appetite alongside a column of values. All reports, though, should
highlight the need for action or at least a decision on action. As we have said
before, if they don’t, drop them.
Timely reporting
A report is only useful if it is produced in a timely fashion. If a report fre-
quency is set as monthly, it is likely that the values in the report will or
may change on a month-by-month basis. It is therefore no good producing a
monthly report three or four weeks after the end of the month as it will have
relatively little value. Time has moved on and it is almost time for new values to
be calculated for the end of the following month. Equally, there is no point set-
ting a report frequency of daily or weekly if the values only change on a monthly
basis. Untimely reports like this will be ignored by management and will
actively work against embedding good operational risk management in a firm.
Risk ownership
Any risk report should enable management to take ownership of the infor-
mation. This may be done explicitly, with a risk owner clearly identified, or
implicitly through the identification of a department or business line. Either
way, and linking with the point above about identifying actions, a good oper-
ational risk report will precipitate effort to correct or enhance the operational
risk profile of the firm by the person who owns the risk which requires action.
An alternative, of course, is that the report shows that all risks are within the
firm’s risk appetite and that no action is required. If this is the case, it is debat-
able as to whether or not the risk appetite of the firm is too conservative. Even
a report indicating that no action is required can prompt a useful challenge.
133
Report definition
Before a draft design or prototype report is considered, it is important to define
the report. A definition of a report is usually a single sheet of paper, which
typically contains the following:
OO Name of the report. A clear name is preferable to a report code; a report
named ‘Risk and control assessment’ is self-explanatory, as opposed to one
headed ‘ORM1’.
OO Objective(s) of the report. This is often a difficult topic but a clearly stated
objective helps considerably in ensuring that the report is effective in use.
OO Distribution list of recipients. This will help to ensure that the report is
targeted at the right people and contains the right level of data.
OO Names of fields to be used. This will help to ensure that only the fields
required for the report are on the report, i.e. that there are no extraneous
data items on the report.
OO Calculations required in each field (before the report is printed).
This makes clear the calculations to the IT staff who will be producing the
coding for the report; it also helps the person requesting the report to think
through the requirements and therefore eliminates unnecessary manipu-
lation of the data.
OO Manual actions to be performed in each field (to obtain the final
report). These are any additional actions which may be required before the
report is ready to be used; there should very few manual actions, if any.
OO How to use the final report (including typical actions resulting
from the final report). This is a crucial part of the report definition; it
further clarifies the report objectives in a practical manner. The act of think-
ing through in detail how the report will be used challenges the report
requestor in terms of the necessity of the report and its differences with
existing reports. This section may even lead to other reports being recon-
figured or eliminated.
135
It is only after a report definition has been completed that a design or prototype
should be considered. These will, of course, be guided by the definition which
will remain a crucial document throughout report coding and production.
136
Further context can be given in terms of percentages for each slice – see
Figure 7.3 – together with clearer labelling – see Figure 7.4 – which makes for
much easier reading.
January losses
12% 16%
10%
23%
26%
13%
January losses
System Internal
failures 12% fraud 16%
Damage to
assets 10%
External
fraud 23%
Business
practices 26%
Employment
practices 13%
Alternatively, even a simple bar chart will enable easy comparison of the size
of loss types (see Figure 7.5).
137
System failures
Damage to assets
Business practices
Employment practices
External fraud
Internal fraud
2D or 3D
There has been a trend towards three-dimensional reports. Whilst this look
is ‘21st century’ the 3D reports do not always give information clearly or
quickly, as can be seen in the 3D column and line charts shown in Figures 7.6
and 7.7 which use the data given in Table 7.1.
120,000
100,000
Internal fraud
Employment practices
60,000
Business practices
40,000 Damage to assets
System failures
20,000
System failures
0 Employment practices
Internal fraud
Jan Mar May
138
120,000
100,000
80,000
60,000
40,000
System failures
20,000
Employment practices
0
Jan
Feb Internal fraud
Mar
Apr
May
Jun
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Jan Feb Mar Apr May Jun
139
Shading
It is easy to shade a table to indicate the status of a cell and to include poss-
ibly spurious accuracy through decimal values. Figure 7.9 is more cluttered
and more difficult to extract information from than Figure 7.10.
In Figure 7.9, the eye is pulled to the masses of light and medium shaded
cells, rather than to the important information highlighted in dark tint, which
stands for red cells.
Figure 7.10 Losses for six months, highlighting red cells only
Employment practices 40 20 5 3 15 20
Damage to assets 30 5 7 10 2 18
System failures 35 25 45 15 18 30
In Figure 7.10, loss amounts have been reduced to round £ thousands and
only the dark-tinted (red) cells are highlighted, the information which most
concerns the reader.
140
Dashboard reporting
Many reports feature in other chapters of this book. These focus on the chapter
topic, for instance risk and control assessment, indicators, events and losses.
However, it is important to draw the threads together so that a comprehen-
sive and cohesive approach can be taken to managing operational risk. Such a
report will show the major items of interest to the reader (and as noted above
these will be different for different readers). A report giving a range of infor-
mation, often in different formats to suit the particular topics being reported,
is usually called a dashboard. Two examples of a dashboard report are given in
Figures 7.11 and 7.12.
Risk Impact Like'h'd Impact Like'h'd Actual Trend from Target Better Action/ Rating
previous (Worse) Summary
The risk performance report in Figure 7.11 gives the top four risks for
the firm. (This is commonly produced for the top 10 or top 15 risks.) The
indicators and events/losses for these top risks are given too, so that an over-
all operational risk picture is available. Actions and overall rating (on the
right-hand side) can be agreed at the risk committee. This report can then
be distributed to board members as a summary of the firm’s operational risk
status for its top risks.
141
142
Dashboard report: operational risk summary
M07_BLUN7323_01_SE_C07.indd 142
Part 3 · Advancing the framework
29/06/2010 09:53
7 · Reporting
Figure 7.12 provides summary risk information on the top operational risks
of the firm at a more detailed level of loss event type and extends the analy-
sis in Figure 7.11 to include more complete data on indicators and losses, as
well as more information on risk and control assessments. Whilst there may
be a loss of detail in any summary, salient information is brought out by dif-
ferent display formats. The summary table top left provides a good use of
colour which draws attention to risks which require action, as well as provid-
ing a clear indication of indicator trends, which is developed in the bar chart
at top right. The spidergram at bottom left is an effective way of highlighting
relative levels of risks and controls. The column and line chart at bottom right
provides a clear visual summary of the more detailed loss information just
above it.
Summary
Good reports are essential to good operational risk management. Key infor-
mation must be easily accessible and delivered in such a way as to support
informed business decisions on the firm’s operational risk profile. That sounds
easy and obvious, but is not so easy in practice. It is only too easy to be over-
whelmed by information which is not focused on readers’ needs. That can
include too much information, information which is not relevant to the reader
and information which may be relevant, but is not presented in a way which is
readily understandable. With operational risk, readers can be at every level of
the firm, so the range is wide.
All of those issues of communication and understanding are just as pertinent
when it comes to modelling operational risk, the subject of the next chapter.
143
Introduction
Previous approaches to operational risk modelling
Towards an inclusive approach
Distributions and correlations
Practical problems in combining internal
and external data
Confidence levels and ratings
Obtaining business benefits from capital modelling
Obtaining business benefits from qualitative modelling
Summary
145
Introduction
Much has been written about the mathematical modelling of operational risk.
Unfortunately, almost all of the writing has been very mathematical and with
very little focus on the business benefits. It is almost as though the model-
ling of operational risk should be sufficient in itself as an intellectual exercise.
Modelling appears to be divorced in some way from the reality of the business
world. Yet there are considerable benefits which can be derived from mod-
elling and you do not have to wait for several years until you have collected
sufficient loss data. Modelling of operational risk can start as soon as the first
risk and control assessment is completed and it can help challenge and validate
the data in that assessment.
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
As shown in Figure 8.1, modelling can use data from any one or more of the
three fundamental operational risk processes. It can change the qualitative data
obtained from risk and control assessments into monetary values and be used to
make sense of the plethora of loss and indicator data. In addition, when prob-
abilistic modelling is used, it provides vital validation of these processes by
enabling management to challenge the conclusions reached deterministically.
Modelling of operational risk can be used to determine the economic capi-
tal required to support the operational risks to which a firm is subject, as well
as to calculate regulatory capital requirements. By calculating capital by busi-
ness line and loss event type, modelling enables the capital to be allocated to
146
business units easily and fairly and supports a risk adjusted return on capital
approach to business management.
147
148
low-impact losses (that is around the 40th to the 60th centile) out to the
very high centiles (e.g. 99.9). Such an extrapolation is clearly suspect,
without using data which is closer to the very high centiles, and takes
no account of a particular firm’s risk profile, which may be better than
the industry’s generic profile. Additionally, the relationship between
expected and unexpected losses may be non-linear.
where VaRle,bl is the value at the required centile of the selected loss event (le)
and business line (bl) cell.
One serious flaw of the loss distribution approach is that it did not recog-
nise that it is mathematically incorrect to sum VaRs from different (and
possibly very different) distributions. However, the approach could be mathemat-
ically correct if an expected shortfall figure was used instead of the VaR, as the
expected shortfall is an average of all the VaRs at and past the relevant quantile.
The first four disadvantages for the internal measurement approach (see
p. 148) are equally valid for the loss distribution approach.
149
Scorecard approach
This is named after the balanced scorecard approach to management practised
by a number of large firms. This approach was also first identified by the Basel
Committee in September 2001. Although some firms using this approach
started with the internal measurement approach or loss distribution approach
for an initial capital calculation, the scorecard approach takes a more qualita-
tive view of operational risk capital. In practice, an initial capital is calculated
at either a firm or a business line level using data derived from either quali-
tative or quantitative techniques.
However the initial capital is calculated, it is modified through a forward-
looking component which is intended to reflect improvements in the control
environment which may reduce the frequency and/or the severity of future
operational risk losses. Changes to the risk profile may be reflected through
indicators of particular risks or the results of, for example, risk and control
assessments. Given the use of qualitative data, the results of this approach
must be rigorously challenged through the use of both internal and external
loss data.
A fundamental difference between a scorecard approach and the two
approaches above (based solely on loss data) is the inclusion of forward-looking
data derived from discussions with business line staff and reviewed by a cen-
tral risk function. The discussions and review often form part of the risk and
control assessments, as it is these which can easily be used to identify expected
risks to the firm in the future and its control environment.
A further difference using the scorecard approach is that the capital is cal-
culated from a single VaR value taken at the required quantile from a single
distribution created using the firm’s or the business unit’s entire data. This has
the advantage that it does not sum VaRs.
The advantages to this approach include:
OO If a firm acquires or disposes of a business or commences or ceases
trading in a new product, an assessment of the risks (and the capital
required) can be included immediately due to the forward-looking ele-
ment of this approach.
OO The forward-looking risk and control data can be used to compensate for
a lack of loss data.
OO There is, in theory, no need to wait for a number of years in order to
collect sufficient data. The inherent nature of these qualitative for-
ward-looking data is that they are refined and modified over time as
management becomes more confident with its risk methodology and as
the firm’s risk profile changes.
OO Although the data are subject to business judgement assumptions,
the assessment of risks and controls is often performed on a realistic
150
worst-case basis. This yields data that are significantly towards the very
high centiles and therefore the data used in a scorecard approach are
inherently more representative of data which can severely damage a firm,
than data solely from losses.
There are, however, a number of drawbacks to this approach:
OO The major assumption that business judgement is a good indicator of the
future capital requirements of the firm: the events of 2007/9, particu-
larly in the banking part of the financial services sector, show that this
assumption is just as flawed as the assumption that the past is a good
guide to the future. (See also Recognising and mitigating natural biases in
Chapter 9, Stress tests and scenarios.)
OO The quality of the forward-looking data can vary widely depending on
the extent of line management commitment. Some management can be
very willing to dedicate time and effort to determining a comprehen-
sive set of risks and controls. Others will view it as an intrusion into
their everyday work and may delegate the risk and control assessment
to inappropriate or inexperienced junior personnel. This is, of course, a
reflection of an unacceptable risk culture in the firm.
OO Whilst the two loss data based approaches derive distributions from the
data, the scorecard approach often requires a distribution to be assumed
for the probabilistic modelling. Distributions have different sizes and
shapes and this can affect the capital requirement. This drawback can be
overcome by taking capital requirement readings at whatever quantile
is used from a variety of distributions, as the modelling can be repeated
using as many different distributions as the firm sees fit.
151
As can be seen in Table 8.1, the assumption that the past is a guide to the
future is clearly made in both the internal measurement approach (IMA) and
loss distribution approach (LDA). However, the scorecard approach could also
be challenged in that whenever the future is assessed, there is at least an inher-
ent bias towards what has happened in the past.
Equally, the assumption that ‘business judgement is a guide to the future’
is clearly made in the scorecard approach although the only way that the other
two approaches could be accused of making this assumption is through the
derived capital requirement which of course applies to the future.
As the data for the IMA and LDA are from losses experienced by the firm,
there is a clear assumption that those losses are recorded in an analysis by the
firm (most usually in the accounts/general ledger of the firm) and that this
analysis is accurate. The scorecard approach is likely to use losses suffered by
the firm as a form of back-testing and therefore the assumption of accuracy is
considerably less important.
As the IMA explicitly assumes a fixed and stable relationship between the
firm’s loss data and capital requirement, the use of low-frequency/high-impact
data is less important, although it will add to the accuracy of the capital
requirement if it exists. In contrast, the LDA makes no such assumption in
terms of a fixed and stable relationship and therefore the availability of low-
frequency/high-impact data is of much more significance. Again, although the
scorecard approach does not use loss data directly, its availability for back-test-
ing is useful and therefore sufficient high-quantile data will again add to the
accuracy of the derived capital requirement.
The only approach which assumes a fixed relationship between existing
losses and unexpected losses is the IMA.
In terms of distribution assumptions, the IMA does not use a distribution,
being a deterministic method for calculating capital, whereas the scorecard
approach definitely assumes distributions in its probabilistic modelling. The LDA
may assume distributions in the higher quantiles and also may assume a particu-
lar distribution is the best fit for a particular loss event type/business line cell.
152
Table 8.2 analyses the characteristics of the data in the three approaches.
Clearly, the IMA and LDA both use objective (i.e. past) data and the score-
card approach may use it in assessing the future. Equally clearly, the scorecard
approach uses a subjective analysis of the risks that may be suffered by the firm
and of the controls that may be used to mitigate the risks. Both of these are
forward-looking although possibly influenced by past events.
Any quality assurance on the data will probably be provided by internal
audit for the IMA and LDA loss data whereas quality assurance on scorecard
data can only be provided by internal audit at a process level.
Whilst some cells in the Basel 56-cell matrix will have considerable loss
data, other cells will have very little loss data, if any. This means that the
statistical analysis in the LDA in particular may be poor due to a low quan-
tity of data. In comparison, the scorecard approach data will be tailored to that
which is required if line management can be engaged in the process.
To have sufficient data for loss event modelling you need at least 30 data
points for each risk, or combination of risks, which you are trying to model.
The time it takes to collect that amount of data is therefore as long as you
need, but could well be at least five years or longer for relatively rare risks.
As an example, the Basel Committee set a minimum of three years, ultimately
moving to five years, but the real time could be even longer. Timescales such
as these significantly affect the ability of a firm to start using advanced mod-
elling. And of course even five years of benign activity tells you little, as we
have seen with credit data in the period preceding the 2007/8 sub-prime prob-
lems. On top of which, old data can be largely irrelevant, since the internal and
external environments will almost certainly have changed.
Although the collection time for scorecard data is much shorter (as long as
it takes to complete sufficient risk and control assessments), the need to chal-
lenge the scorecard data through the use of appropriate and sufficient loss data
means that the three-year minimum may also apply to the scorecard approach.
However, the scorecard approach can be used by the business to gain signifi-
cant benefit before this time has elapsed (see Obtaining business benefits from
qualitative modelling later in this chapter).
The source of losses will ultimately be a value which is recorded in the
accounts in the IMA and LDA whereas management will provide the data for
the scorecard approach.
The use of external data can be either direct or indirect in the LDA or IMA,
whereas the scorecard approach will use external data both for back-testing and
possibly for the generation of relevant high-quantile risks. Direct use of ex-
ternal data in the LDA or IMA is dependent on appropriate conditioning of
the data, such as scaling.
153
But other factors come into play, apart from the nature and quality of
assumptions and data. These are shown in Table 8.3. The capital charge cal-
culation in the IMA is deterministic and uses a standard factor. In the LDA,
individual VaR values are used and then summed to produce an overall capital
figure for the firm. In the scorecard approach, a single value is taken from the
overall distribution for the firm.
Training people to use any of the three approaches is a significant exercise:
OO The IMA requires a significant amount of training as loss data must be
captured firm-wide over a number of years in order to produce an accu-
rate value for the capital required. It also requires considerable acceptance
across the firm that comprehensive collection of internal loss data is a
worthwhile use of resource. This acceptance requires commitment from
everyone in the firm. This is difficult to obtain for capital modelling pur-
poses in that the resultant control gaps will almost certainly have been
closed and the capital suggested by the losses is therefore historic rather
than that required to provide support for future problems.
OO The LDA also requires a significant amount of training as, again, loss
data must be captured firm-wide, together with an understanding of
probabilistic approaches applied to operational risk amongst risk man-
agement and senior management.
OO The scorecard approach requires significant training for line manage-
ment in order that its assessments are comprehensive and consistent, as
well as an understanding of probabilistic approaches applied to oper-
ational risk.
The IMA can be difficult to assess as a concept because it incorporates a large
amount of data and exposure indicators, together with a translation factor sup-
plied by the regulator. The LDA may be inaccessible for many staff due to its
probabilistic approach for extending known losses into high quantiles for a
154
capital requirement. In contrast, the scorecard approach may be easier for man-
agement as it is based on management’s view of the risks which are likely to be
faced by the firm and the controls that will mitigate those risks.
Neither the IMA nor the LDA is able to give rapid business value, as con-
siderable time is required to collect the data. However, the scorecard approach
may give rapid business value, as the collection time for data is much shorter.
The efficiency of controls is tested indirectly through the IMA and the LDA
as control failures lead to losses and therefore there is an implicit link to the
capital required. As the scorecard approach directly assesses the quality of the
controls, it can also be used to challenge the efficiency of the controls by com-
paring the mitigating effect to the cost of controls (see later in this chapter,
Obtaining business benefits from qualitative modelling).
In the same way the IMA and LDA can be used indirectly to support
cost reduction, whereas the scorecard approach can be used directly to
support reduction.
The transparency of the three approaches is hotly debated. It can be argued
that the IMA has a low transparency because of the use of exposure indicators
(determined by the firm) and translation factors (determined by the regu-
lator or an industry body). Equally, the LDA uses the firm’s own losses (albeit
probabilistically) and it can therefore be said to be transparent. Whilst the
scorecard uses management’s own view of its forward-looking risks and of its
controls, the probabilistic approach may be viewed as lacking transparency.
155
It can clearly be seen that most of the qualitative governance standards which
are essential in inclusive modelling are also essential good operational risk
practice. It is true that the depth of analysis may differ, for example, in the
external operational risk measurement validation where it will be less detailed
in good operational risk practice than in inclusive modelling. The capital allo-
cation and incentives for good risk management will also be to a different
depth and rigour. However, the only major item which stands separately in
inclusive modelling is integrated scenario analysis. It is arguable that any well-
run firm will include this in its business practices anyway.
156
157
Scaling
Such gaps can be partially filled by external loss data. However, there is con-
siderable debate around how to scale external data for a particular firm. For
example, what scaling factor should be used in order to adjust the loss suf-
fered by a Barings or BCCI to a particular firm’s risk profile? A number of
commentators have suggested metrics such as number of staff, gross revenues
or the number of trading tickets processed. However, there is no evidence to
show that losses can be scaled using such metrics. The answer, as we saw in
the section on scaling in Chapter 5, Events and losses, is that precise scaling
is not possible, but an assessment can be made by identifying common factors
between the loss-suffering firm and your own and extrapolating an answer on
that basis.
158
Data cleansing
It is very clear that models using external data are particularly sensitive to the
data, as its principal impact will be on the extreme right-hand end of the curve
from which a capital figure is taken. As such, cleansing of external loss data is
vitally important when it is used for modelling. The term ‘cleansing’ denotes
the process of checking that the losses are relevant to the firm and determining
an appropriate size of the loss with respect to the firm.
Whilst the appropriate size can be determined through some form of scal-
ing, as discussed above and in Chapter 5, the relevance of the loss to the firm
is the first step in the process, as there is no point scaling a loss which is not
relevant. To understand the relevance, it is important to have a narrative in
the external data which comments on the cause of the loss. A full and accurate
description is therefore required.
It is of course clear that, for a financial services firm, a trading loss made
through a ‘fat finger’ error by a competitor is relevant, at some size, to another
trading firm. Equally, this loss is unlikely to be relevant to a small retail finan-
cial services firm. However, a loss suffered by a retail bank through mortgage
fraud may be conceptually relevant to a trading firm if the loss was caused
through poor documentation standards. Such standards are equally applicable
to a trading and sales firm and are particularly relevant if the trading and sales
firm conducts, for instance, over-the-counter derivatives.
Additionally, there may be losses made by firms outside the financial ser-
vices sector which are directly relevant to a financial services firm. For
example, the British Airways and Gate Gourmet outsourcing case, mentioned
in Chapter 13, Outsourcing risk, is directly relevant to almost all financial ser-
vices firms, as outsourcing is significant in their industry.
It is therefore important for external data to be carefully challenged, both in
terms of relevance and size, before putting such data into a model. This chal-
lenge does not have to be carried out every time the model is run, although it is
appropriate to review previous challenges on a periodic basis, such as an annual
review. Similarly, it is also appropriate to challenge internal data when the
firm’s business model changes, when there are significant changes in the market-
place and as it degrades over time and may become only partially relevant.
159
discrete fashion through, for example, hiring a trading team or in a slow con-
tinuous fashion by, for example, a measured withdrawal from that market.
Fat tails
The term ‘fat tails’ is sometimes used, often somewhat disparagingly, during a
discussion about modelling operational risk events and losses. This refers to the
higher quantiles in a distribution and to the seeming paradox that a considerable
number of high quantile events have occurred within the last 15 to 20 years.
Lognormal distribution
Frequency
at low severities
Fattened tail
at high severity values
Severity
Internal (private) data External (public) data
Mathematically, very large events are only supposed to happen once in many
lifetimes. Yet any operational risk manager can name at least half a dozen very
large events they have experienced or been aware of, without even touching the
events of the financial crisis of 2007/9. To have a very large number happening
160
in such a relatively short timescale means that at least one of the assump-
tions underlying modelling must be incorrect. The most obvious assumption
to challenge is that the shape of the curve is correct. The response of many
mathematicians involved in operational risk has been to increase the size of the
tail above that which is demanded by the standard shape for a distribution (see
Figure 8.2). This inevitably increases the size of the capital required, but it
makes the model appear more in touch with reality, as higher losses demand
more capital.
Lognormal distribution
Frequency
at low severities
Second distribution at
high severity values
Severity
Internal (private) data External (public) data
However, it is also possible that another distribution exists in the higher quan-
tiles which is largely separate from the distribution which covers expected
losses in the high frequency/low to medium impact part of the curve. The chal-
lenge for modellers is to model a bimodal distribution with one mode in the
expected losses area and a second in the low frequency/high impact area (see
Figure 8.3). Resolving this challenge is a significant mathematical exercise and
is beyond the scope of this book.
161
and give a higher level of capital, as well as a greater level of confidence that
the capital requirement will not be exceeded.
Whatever confidence level is used, it is simply a guide to the capital
required. For example, a confidence level of 99.9% for a holding period of one
year means that on average the capital required will not exceed that level except
for a 1 in a 1000 event occurring. This therefore requires many years (if not
thousands!) to pass before the average capital required can be stated with some
degree of certainty. Clearly this can only be an approximation in our lifetimes,
as has been amply demonstrated during the 2007/9 financial crisis.
162
Finance and Trading & Sales are regarded by Basel as higher-risk business lines
and both attract a weighting of 18% under the Standardised Approach to capi-
tal calculation. If both businesses have a similar number of staff and a similar
culture within the firm whose AMA output is represented in Figure 8.4, it
is likely that the capital required for risks under the ‘Employment Practices
& Workplace Safety’ heading will also be similar. Why then are the capital
requirements so different?
There are at least three explanations:
OO Corporate Finance has been through a very difficult period in terms of
staff relations and has had to make a number of out-of-court settlements.
If this is the reason, clearly some senior management work is necessary in
order to improve staff relations in Corporate Finance.
OO Corporate Finance has been assiduously submitting its losses and events
to the Operational Risk Department whereas Trading & Sales has inad-
vertently or otherwise not disclosed all of its events. If this is the reason,
clearly some work is necessary with senior staff in Trading & Sales in
order to encourage them to disclose all of their events.
OO Trading & Sales has very good controls which have both prevented
losses from occurring and, when they have occurred, the losses have been
detected quickly and the control failures have been corrected without
delay. If this is the reason, management should determine whether the
good quality controls in Trading & Sales can be replicated in Corporate
Finance (and in other high-capital requirement areas such as Retail
Banking and Retail Brokerage). Such replication will significantly
reduce the amount of capital required to run the firm.
Similarly, in the ‘Business Disruption & Systems Failures’ column there is a
very small capital requirement against Agency Services. Either very good con-
trols (perhaps a hot standby computer system) exist in Agency Services for
Business Disruption & Systems Failures or Agency Services is very dilatory
in reporting events and losses and also has assessed its business and internal
control environment as excellent (i.e. its risks are very low and its controls are
very good). If good controls exist then it will be very worthwhile investigat-
ing whether these controls can be replicated in, for instance, Retail Banking
or Retail Brokerage where a substantial reduction in capital could be achieved.
Figure 8.5 Model input example: number of internal losses (part of the data
used to generate the output in Fig 8.4)
requirements in Figure 8.4 gives a clearer picture of which of the three possi-
bilities above are more likely. Given that Trading & Sales has only reported 39
events against Corporate Finance’s 95 events, it would appear that the second
possibility is more likely, i.e. Trading & Sales has not reported all of its events
and losses, whereas Corporate Finance has been very diligent. However, the
third possibility remains feasible and clearly the next step is a short investi-
gation of Trading & Sales to see which of these two remaining possibilities has
actually occurred.
In much the same way, Agency Services having only one event reported
requires further investigation. In both cases, the firm will benefit from either
better reporting of losses and therefore better data on which to manage the
businesses or from good controls in one business being developed and imple-
mented in other businesses. Either way the firm’s operational risk profile will
be better managed and potentially significantly reduced.
164
However, by also looking at Figure 8.4, it can be seen that Trading &
Sales has a much higher capital requirement than Commercial Banking for
this loss event type. This implies that when Trading & Sales has a loss in
‘Clients, Products & Business Practices’ it is a much larger loss on average
than Commercial Banking. Clearly, assuming the transaction size and busi-
ness practices of these two businesses are similar, Commercial Banking is able
to minimise the size of its losses at the same time as minimising the number
of its losses. Any business practices which can be copied from Commercial
Banking into Trading & Sales, Retail Brokerage and/or Asset Management
will again substantially reduce the capital required by the firm.
large sd
medium sd
Frequency
small sd
Severity
165
Risks
Risk and control assessment data can be modelled through using standard
Monte Carlo simulation techniques. An output example for risks is shown in
Figure 8.7.
166
A risk and control assessment model will take the risk and control scores
assigned during an assessment and model these through simulating the poten-
tial losses using a given distribution.
As can be seen from the histogram in Figure 8.7 there are three risks
(RSK00004, RSK00013 and RSK00020) which have significant modelled
net losses (pale bars). Their net values of approximately £6m, £3m and £1m
respectively can be read from the detailed spreadsheet below the histogram.
It is not surprising that most risks have a net loss as the data has been
modelled at a confidence level of 99.9%. What is surprising is that three
risks (Overdependence on outsourcing; Poor employee incentives; Misaligned
employee goals) still have zero net risk even at the 99.9 quantile. It is most
unlikely, although possible, that the controls mitigating these risks are so
good that they are still operating perfectly at the average of the worst year in
1000 years. It is far more likely that:
OO the quality of the controls has been overstated
OO the number of controls mitigating the risk has been overstated, or
OO the independence of the mitigating controls has been overstated.
Clearly, if the controls are all scored with a top score for both design and
performance they are most unlikely to fail together and cause a net loss, par-
ticularly if there are two or three controls all with maximum scores. Equally,
if there are a number of controls, perhaps six or seven, it is very unlikely that
sufficient will fail in order to generate a net loss, even if some are rated below
maximum. The positive effect of having many controls can be compounded if
the controls identified are not independent. One of the fundamental assump-
tions underpinning all operational risk models which use control scoring is
that the controls are independent. If this is not the case, the model will over-
state the mitigating effect of the controls.
Controls
An alternative way to look at a risk and control assessment is through the
controls. Rather than have the model aggregate results by risks it is also of
business benefit to have the model aggregate results by controls, particularly as
one control may mitigate several risks.
Figure 8.8 gives the reduction in risk exposure achieved by each control
and, taking into account the cost of each control, gives the net benefit of the
control. This enables a firm to see the net reduction that a control gives in
risk exposure. It can be seen at the top of Figure 8.8 that ‘Salary surveys’ and
‘Training and mentoring schemes’ give high values of control benefit after cost
with ‘Defined communication channels’ giving the highest benefit. It is inter-
esting that ‘Retention packages for key staff’ gives the second-highest control
benefit but only the fourth highest benefit after taking costs into account.
167
At the other end of the scale, staff training and certification and client agree-
ments/marketing are both controls which cost considerably more than the
value that they bring to reducing the risk profile. The business question to
be asked now is whether these two controls can be operated at a lower cost,
while still achieving an acceptable mitigation of risk. In other words, is the
firm willing to spend that level of money in order to achieve a relatively small
reduction in risk profile? In some cases such a spend may be acceptable for
controls related to, for example, a regulatory risk which has to be mitigated in
order to comply with regulations. In other cases the choice will be much more
up to management to determine whether or not the reduction in risk justifies
the spend.
Risk owners
Figure 8.9 shows a comparison between the risk owners who were captured
during the risk and control assessment for gross loss, control benefit and net
loss. It is interesting to note that the highest net loss is risk owner DA, fol-
lowed by risk owner CK. It is to be expected that DA is the CEO of the firm
and that CK is one of the senior business heads. If this is not the case the firm
should ask itself whether it wants someone other than the CEO to be the largest
risk owner by value. It is also worth noting that risk owner TB has the largest
168
Risk and control assessment model output example: risk owner results Figure 8.9
gross loss exposure and also the largest control benefit, i.e. the controls for TB’s
risks almost completely mitigate the highest value risks in the firm. Is, perhaps,
TB being over-optimistic in his/her control assessment? And, therefore, is the
firm more exposed to TB’s risks than it has previously thought?
169
170
The obvious question for the firm to ask itself is: ‘Do we want this set of
controls to be our best performing controls and this other set to be our worst
performing controls?’ In particular, and looking at Figure 8.11, the firm’s board
of directors and senior management should be asking: ‘Are we happy that “AML
annual training” is only the eighth most effective control and are we also happy
that “Physical security” is in the list of our 10 worst performing controls?’.
Clearly these questions are dependent on management having faith in the
risk and control assessments, although the questions will inevitably challenge
the scores in those assessments. This has the effect of a virtuous circle where
scoring, modelling and challenging generate real business benefit through
modifying the risk and control environment to fit the risk appetite of the firm.
Summary
Modelling operational risk can be, but should not be, an abstruse ‘black box’
approach accessible only, literally, to rocket scientists. It can and should be
rooted in the core operational risk framework processes of risk and control
assessments, loss events and indicators, as we have shown in this chapter. And
its assumptions and principles should be understood by the board and senior
management. Since it is used for capital modelling it can have a direct impact
on reports on both product and business line performance.
Within operational risk, as with most things, there is no one methodology,
let alone a limited set of distributions which can be applied. As was said in the
early days of operational risk, ‘let a thousand models bloom’.
But even if the assumptions are understood and the methodology is thor-
oughly and independently validated, the nature of operational risk means that
its modelling should be hedged with health warnings. The greatest danger is
to take the number at a particular point and not the range of possibilities.
171
Introduction
What are they and what’s the difference between them?
Why use scenarios?
Problems with scenarios …
… and how to do them better
Governance
Developing a set of practical scenarios
Preparing for the extreme event
Typical problems following scenario development
The near death experience
Applying scenarios to operational risk management data
Summary
173
Introduction
Stress testing and scenario analysis are essential tools for a firm’s planning and
operational risk management processes. They are rooted in the firm’s busi-
ness and strategic objectives and should form part of the process of identifying
those objectives. They alert the firm’s management to adverse unexpected
outcomes, beyond those which have been identified in risk and control assess-
ments or modelling, and supplement other operational risk management
approaches and measures. Stress tests and scenarios are not forecasts of what
is likely to happen; they are deliberately designed to provide severe, but
plausible, possible outcomes. They are necessarily forward-looking and there-
fore involve an element of judgement. Finally, they are invaluable during
periods of expansion, by providing a useful basis for decisions when none is
available from other sources.
Stress testing and scenario analysis interact with the three fundamental
processes of operational risk (see Figure 9.1) and are also a natural part of mod-
elling. As we have seen, events and indicators can be used to develop scenarios,
which are then applied to risk and control assessments.
Governance
Identify key Specify risk Identify risk Identify control Identify and Analyse
risk and appetite and owner and owner capture causes
control Assess likelihood Assess design internal and
indicators and impact and performance external events
Reporting
174
Stress testing
H
is
Single factor
yp
ys
ot
al
simulation
an
he
tic
ta
da
al
ev
al
en
Re
Vulnerabilities
s
io
H
ar
is
to
en
ric
sc
Multi-factor
al
al
sc
tic
simulation
en
he
a
ot
rio
yp
s
Scenario testing
175
176
177
the business. This is, of course, easily managed by involving senior manage-
ment in their development.
In the experience of the authors, whilst scenarios generally do produce large
loss numbers they can also, counter-intuitively, produce relatively small num-
bers. This happens when certain controls are assumed to have failed during a
scenario, but more vital and key controls are given fuller and more compre-
hensive attention (see the worked example later in this chapter). This may well
lead to a lower than expected level of loss, if the key controls are then assumed
to operate at their most effective and efficient level.
Mechanical, point-in-time
Scenarios have also often been conducted as a mechanical and point-of-time
exercise, with little thought for the reaction of the board or senior manage-
ment to the unfolding scenario. In reality, as scenarios unfold, management
takes action over a period of time (which could be as long as 18 months) to
mitigate the effect of the scenario on the firm. This point is often overlooked.
Additionally, a mechanical and point-of-time approach does not tend to take
account of changing business conditions or incorporate qualitative judgements
from different areas of the firm.
178
Governance
As with any operational risk methodology or procedure, it is vital to ensure
that the governance relating to the methodology is documented and under-
stood. Good governance will enable the board and senior management to guide
and direct the operational risk scenario strategy and to review its effectiveness.
From a practical perspective, this will involve setting the scenario objectives;
defining the scenarios; discussing and promoting the discussion of the results
of the scenarios; assessing potential actions and making clear decisions based
on the results; fostering internal debate on the results of the stress tests and
scenarios programme as a whole; and challenging prior assumptions such as cost,
179
risk and speed for raising new capital or hedging/selling positions. All of these
governance points may be taken up by the board in its meetings or may be dele-
gated to a board scenarios sub-committee which reports back to the full board.
An example of scenario governance came in a paper from the Basel
Committee in May 2009. The headline principles are shown in the box below.
Although they were written for banks, they apply equally to any industry.
On the face of it, principles 13 and 15 can be said to be not applicable to oper-
ational risk. However it is easily arguable that pipeline and warehousing risks
and the firm’s vulnerability to highly leveraged counterparties include a sig-
nificant element of operational risk and therefore should be included in any
operational risk exposure review such as scenarios.
Operational risk scenarios should enable a firm to understand the sensitiv-
ities of all of the elements of the firm’s operational risk exposure, as set out in
the operational risk framework we have described in this book. This includes:
180
181
182
The answer is around 70 million, but the first group will give answers near to
30 million and the second will give answers near to 100 million. Try it at your
next party and amaze your guests!
The use of external loss data can help in inspiring scenarios which might
otherwise have been overlooked and can therefore mitigate availability bias.
However, availability bias can also affect the frequency assessments. The like-
lihood or frequency of an event may be overstated if the relevant event has
occurred recently or if it has been personal experience. Conversely, the likeli-
hood may be underestimated if the event has not been previously experienced.
For example, someone who has previously been involved in a fire is more likely
to overestimate the risk of a fire. On the other hand, firms often significantly
underestimate the frequency of internal fraud since relatively few internal
frauds are actually detected. It is therefore important to bear in mind availabil-
ity bias and, if necessary, adjust for it, especially when using external loss data.
Taking in this data may give a false sense of having covered most eventualities.
Motivational bias arises when a participant has an interest in influenc-
ing the result. It can lead to the understatement of frequency and impact, the
understatement of the effectiveness of controls, and the understatement of the
uncertainty surrounding the assessment made. It is very common, for example,
for control owners to overstate the efficiency and effectiveness of the controls
for which they are responsible. When a control assessment is presented to the
risk owner and business line manager, a very different view of the capability
of the controls mitigating that risk often emerges. There is also, of course, an
incentive to understate potential losses in order to reduce the capital required
to run the business line or the firm; or simply to provide a rosier view of the
riskiness of the business line to the firm. Making scenarios subject to peer
review, in addition to the formal challenge process carried out by risk manage-
ment, is a good way to reduce the influence of motivational bias.
The influences of these biases can be seen in likelihood assessments.
Estimates for likelihood can be particularly difficult when considering rare
events. It is, for instance, difficult to distinguish between a 1 in 1000 chance
in one year for the event, and a 1 in 10,000 chance. Both events are beyond
most people’s comprehension. Availability bias is almost inevitable in these
circumstances, particularly when using external likelihood data, of which there
will be relatively little. Examples of how likelihood and impact can be assessed
are shown in Tables 9.1 and 9.2.
Impact assessments of scenarios are also prone to problems as most people
find it difficult to think in terms of probability distributions. Ideally, several
impact values for the scenario will be helpful at specified percentiles along the
distribution. This is known as the percentile approach.
From a practical perspective, the assessment quantile for the scenario is
likely to be agreed as the 95th, 99th, 99.9th or ‘worst case’ (which is often sub-
sequently defined as one of the extreme quantiles). This will give one impact
183
estimate, say £5m, linked with a single likelihood of occurrence, say 1 in 100
chance, and is known as the individual approach. However, the single value
estimate it produces can introduce a spurious accuracy.
An alternative but more difficult approach is the interval approach, which
consists of frequency estimates for a series of distinct impact ranges. This is
conceptually similar to a risk and control assessment approach, although obvi-
ously different in detail.
184
Environment
Scenarios should also take account of the broader business environment.
Political, financial/economic, social, technological, environmental and legal
factors will inevitably affect the scenarios over the period they cover. The
scenarios should be challenged by each of these factors to ensure they have been
fully incorporated.
Random words
At the other end of the scenario development spectrum lies the random word
methodology. Using random words is a surprisingly powerful way of gener-
ating scenarios. It consists of taking a number of scenario related words or
phrases which may apply to the firm (such as fire, flood, utility failure, out-
sourcer failure, money laundering, internal fraud, terrorist attack) and choosing
two or three at random. A scenario is then constructed around the chosen
words or phrases which is relevant to the firm. It can be surprising how ran-
domly chosen words are a powerful and imaginative way to construct credible
and relevant scenarios.
185
186
OO reputational damage
OO adverse environmental impact
OO supply chain disruption
OO major competitor win.
Although any one scenario can be used to test a risk profile, it will really form
a stress test on one parameter. To produce a more extreme tested profile, a
number of the scenarios should be considered as occurring together or over a
reasonable timescale.
187
of stress, decisions can be made ‘on the hoof’ and without full information. If a
culture of informed decision making and robust communication up and down
the firm is embedded in everyday business practices, it is more likely to con-
tinue during times of stress.
Risk appetite
Knowing and understanding the firm’s risk appetite and its thresholds may
also help the firm reduce the impact of a stress event. Although it is very likely
that the firm’s risk appetite will be exceeded during a period of stress, there is
more likely to be a defined escalation procedure and understanding of the sen-
sitivities of the firm’s risk profile if consideration is given to the risk appetite.
If a firm does have a developed risk appetite, it is more likely that it will
have a full set of risk and control assessments and a realistic view of the risk
and control profile of the firm. Challenges to the assessments and the result-
ing profile need to be made during normal times for this particular defensive
approach to be valuable. If such challenges form a routine part of the firm’s
governance, the resulting information is much more likely to have the confi-
dence of senior management and therefore to be used in a period of stress.
Paralysis
Sometimes the scenario result is so awful that the conclusion is drawn that
little can be done to prepare for it. Even in the event of the scenario showing
that the firm would be liquidated, action can always be taken, including draw-
ing up a ‘living will’, similar to the recent proposals for internationally active
banks discussed in the next section.
‘Living wills’
Reverse stress tests look at the stage shortly before collapse. ‘Living wills’ are
designed to be activated when that point has been reached and will be trig-
gered when certain pre-defined events occur or criteria are met. The ‘living
will’ will specify in some detail how the firm will downsize and completely
restructure its business; allow itself to be acquired or its business to be trans-
ferred; or wind itself down in an orderly fashion over a relatively short period
of time. As well as specifying the detail of how the ‘living will’ works, it is
equally important to decide on realistic trigger(s) for activating it. If a trigger
point is not realistic, there is the danger that the point will be reached, and
189
management will refuse to acknowledge reality and hope that something may
turn up. The trigger should be fixed at the point where the ‘living will’ cannot
be aborted.
Deterministic approach
This takes the scenarios which have been developed and tests the relevant risk
and control assessment with the scenario outcomes. The testing is carried out
through the analysis of which controls have failed for the scenario to occur and
therefore which risks have happened and what is the impact of those risks.
Useful guidance is given in terms of the size of the likely impacts through
the impact ranges which were developed during the risk and control assess-
ment process. These impact ranges, though, should be considered as guidance
only and should not be slavishly adhered to. For example, some controls which
mitigate a particular risk may still exist and be operable during a scenario
and therefore the impact may be significantly less than is given by the risk’s
impact range. However, the upper value of the range should only be exceeded
after significant debate, as this will have already been considered and discussed
during the risk and control assessments.
Having assessed the impacts of the risk events which occur during a
scenario, it is possible to calculate (through simple addition) the extra impact
of the scenario on the firm’s risk profile. Action can then be taken in terms of
a cost–benefit analysis of the controls which were affected by the scenario. This
is combined with a review of the firm’s risk appetite in order to determine
whether or not control enhancement is required. Additionally, the application
of the scenario and tests may uncover controls which were previously thought
to be adequate and which now require action.
190
Probabilistic approach
This approach transforms qualitative and subjective risk assessment to mon-
etary values through probabilistic modelling. It uses the same initial step as
the deterministic approach, that is the existing risk and control assessment is
tested with the scenario outcomes in order to determine which controls have
failed. The revised, scenario-adjusted risk and control assessment is then sub-
jected to risk event occurrence through control failure simulation, as we saw in
Chapter 8, Obtaining business benefits from qualitative modelling.
The advantages of this approach are:
OO a more focused cost–benefit analysis of controls, as the monetary reduc-
tion of the risk profile is explicit
OO a clearer view of risk appetite, again as the monetary value of risks and
controls is explicit
OO the ability to see the monetary impact of the scenario at different explicit
confidence levels, rather than simply at one (unarticulated and implicit)
level as in the deterministic approach
OO the sensitivities of different risks are more apparent as their monetary
values are available at different confidence levels
OO analyses from different risk perspectives following the scenario (such as
the risk owner, the risk category, the top residual risk and the worst and
best performing controls) can be more easily extracted
OO access to different confidence levels allows reverse stress testing to be
better understood as any scenario can be extended to a level at which the
firm is no longer viable.
A worked example
A firm develops a scenario which involves internal fraud (due to an employee
having gambling debts) occurring at the same time as IT system failure. The
firm’s current risk and control assessment contains, inter alia, the risks, con-
trols and assessments shown in Figure 9.3.
The first step is to review the controls and identify those which are assumed
to have failed for the purposes of the scenario, as the firm is then exposed to
the risks which were mitigated by the failed controls. These are identified in
Figure 9.3:
OO criminal background check, which did not identify the fraudster
OO training and mentoring schemes, which have not identified that the
employee was at risk
OO business/strategic planning, which has failed to provide enough focus on
an appropriate IT system
191
Extract from risk and control assessment, showing failed controls and subsequent Figure 9.4
improved controls with new assessment scores
ID Risks I L Controls D P Fail Improve D P
Failure to attract, recruit and retain key staff Criminal background check 3 2 Yes Yes 3 4
Salary surveys 2 2 Yes 2 3
1 4 4
Training and mentoring schemes 3 2 Yes Yes 3 3
Retention packages for key staff 4 4 4 4
Inadequate or insufficient IT infrastucture Business/strategic planning 3 4 Yes 3 4
to achieve business objectives
12 2 4 IT system performance and capability monitoring 4 3 Yes Yes 4 4
Manual workarounds 2 2 2 2
Failure to sense and eliminate internal fraud Criminal background check 4 4 Yes Yes 3 4
Segregation of duties 2 3 Yes 2 3
16 3 2 Training and mentoring schemes 3 2 Yes Yes 3 4
Fraud monitoring 4 4 4 4
Whistle blowing 3 3 3 3
These are scored 4, 2 and 3 respectively for impact. We now assume that all
the controls have worked as previously scored in the baseline RCA, but that
the controls named on the previous page have failed in the scenario.
The methodology for calculating the baseline, scenario and adjusted baseline
risk and control assessments is as follows:
Step 1 Start with the original baseline risk and control assessment and derive a gross loss
figure, i.e. before the interaction of controls
The gross loss figure is simply given by mid-point of the range or the maxi-
mum impact for each risk which occurs in the scenario. (The mid-point can
be considered to be the deterministic equivalent of the 50th centile; the maxi-
mum impact can be considered to be the worst case, i.e. either the 95th centile
or the 99.9th centile.)
In this case we have three risks, listed above, with impacts in bands 4, 2
and 3. We can assume that with no controls these will be at the mid-point or
at the top of their respective bands, therefore the gross impact for the scenario
will be equal to the mid-point or to the maximum of band 4 plus the equiva-
lents of bands 2 and 3.
As you can see from the impact scale above, the mid-points give £(12.5m +
0.625m + 3m) or £16.125m and the maximum for band 4 is £20m, for band 2
is £1m and for band 3 is £5m, giving a total maximum gross loss of £26m.
Or
Net mid-point impact (Risk 1)
= £12.5m – [( 3 × 2 + 2 × 2 + 3 × 2 + 4 × 4 )/( 4 × 16 )] × £12.5m = £6.25m
So we have values for the maximum and mid-point gross and net losses from
Risk 1 in the scenario. We now duplicate this method with Risks 12 and 16,
to find that in this case
Net maximum impact (Risk 12)
= £1m – [( 3 × 4 + 4 × 3 + 2 × 2 )/( 3 × 16 )] × £1m = £417k
and
Net maximum impact (Risk 16)
= £5m – [( 3 × 2 + 2 × 3 + 3 × 2 + 4 × 4 + 3 × 3 )/( 5 × 16 )] × £5m = £2.313m
Step 4 Deriving a total value for the net baseline risk and control assessment
The net impact of this scenario at the baseline level is therefore found by
summing the net components of all the relevant risks, in the maximum case
194
Step 5 Assessing control failures for the scenario risk and control assessment
The first thing to do is analyse the scenario to work out which controls have
failed in order to allow this scenario to occur. In this case and as shown in
Figure 9.3, we have assessed that seven of the 12 controls over the three rel-
evant risks have failed. This judgement is subjective so you must consider
which aspects of the risk and controls are relevant. Any control which is either
not relevant or could not allow the scenario to occur if working correctly must
be assumed not to be mitigating the scenario or to have failed.
The scenario gross loss is the same as the baseline gross loss, as the risk
assessment should not change between the two, only the control assessment
(which affects only the net loss).
We then calculate the same for the other risk components of the scenario and,
as before, sum them to find a total net loss.
195
It can be seen that the maximum deterministic values are at a similar level to
the modelled 99.9% confidence level.
Summary
Scenarios are all about imagination and not being afraid to think the unthink-
able. Indeed, they are totally concerned with the unthinkable. They are not a
mathematical exercise but a practical one, aimed at identifying events or, more
precisely, combinations of events which could threaten a firm’s objectives and
even its existence. As a practical exercise, they are the glue which binds the
other elements of the framework together and test whether the operational risk
framework is robust and fit for purpose. However they do contemplate threats
to the existence of the firm. If those threats appear, the immediate remedy is a
well thought out and fully tested business continuity plan, which we shall con-
sider in the next chapter.
Notes
1 www.lloyds.com.
2 Australian Prudential Regulation Authority, Applying a structured approach to operational
risk scenario analysis in Australia, September 2007; www.apra.gov.au.
3 www.bis.org/publ/bcbs160.htm.
4 Senior Supervisors Group, Observations on Risk Management Practices during the Recent
Market Turbulence, March 2008; www.financialstabilityboard.org.
196
mitigation and
4
assurance
Introduction
Business continuity and risk management
Policy and governance
Business impact analysis
Threat and risk assessment
The business continuity strategy and plan
Testing the plan
Maintenance and continuous improvement
199
Introduction
It is a fact of life that ‘stuff happens’. Dealing with it is much of what oper-
ational risk management is all about. Many operational risks can be managed
and mitigated down to acceptable levels, as this book has shown. Some things,
however, cannot be prevented. The best we can do is to have in place contin-
gency plans which will mitigate the effects as best we can.
To that extent operational risk is rather like politics. When Harold
Macmillan, British Prime Minister from 1957 to 1963, was asked by a journal-
ist what was most likely to blow a government off course, he famously replied,
‘Events, dear boy, events.’ Business continuity is about coping with the unfore-
seen events, some of them apparently undramatic, which nevertheless threaten
a business’s survival. Attitudes such as ‘It won’t happen to us’, ‘We will cope –
we always do’, ‘We’re not a terrorist target’ are unrealistic and, from a business
point of view, life-threatening.
After an event, firms fall into two categories – ‘recoverers’ and ‘non-
recoverers’. Research regularly shows that firms which successfully deal
with a crisis see their share value increase. Similarly, firms which invest and
budget most on risk, business continuity and governance are the most profit-
able in their sector. Business continuity planning is an investment not a cost.1
Another survey has shown that 80% of businesses which do not have a business
continuity plan close within 18 months of a major incident.2
Many people questioned the huge amounts of money and resource which
went into coping with the potential disaster of the Millennium Bug (Y2K).
The effort and investment repaid itself many times over when the planes hit
the twin towers of the World Trade Center, New York on 11 September 2001.
The enormous amount of work which had gone into cleaning up the spaghetti
of systems which firms were running, understanding infrastructure depen-
dencies and developing and testing comprehensive business continuity plans,
prevented the 9/11 attack from being much more disastrous. Despite the tragic
and horrendous loss of life and disruption, it was business as usual after a brief
four days, including a weekend. Perhaps business continuity’s finest hour.
In his foreword, as Director-General, to a CBI publication on business con-
tinuity, Digby Jones (later Lord Jones of Birmingham) wrote: ‘A reliance on
piecemeal procedures adopted and adapted over time will not suffice. Business
availability is a strategic issue which covers the whole organisation and as such
requires a comprehensive solution.’3 If the business isn’t available, there is no
business. Strategic issues don’t come more critical than that.
200
Differences between risk management and business continuity management Table 10.1
Risk management Business continuity
Key method Risk analysis Business impact assessment
Key parameters Impact and probability Impact and time
Type of incident All types of events – though Events causing significant
usually segmented disruption
Size of events All sizes/costs – though Strategy deals with survival-
usually segmented threatening incidents, but can
be applied to any size
Scope Focus mainly on management Focus mainly on incident
of risks to core business management, generally
objectives outside the core
competencies of the business
Intensity All, from gradual to sudden Generally sudden or rapid
events, though a creeping
incident may become severe
Source: The Business Continuity Institute, Good Practice Guidelines 2008, Section 1, p.7
Business continuity deals with the management of incidents which will cause
significant disruption to the business. It deals with low likelihood events but
is mainly dealing with their impact. The impact of an incident, as well as
recovery from it, is measured primarily by time so that disruption to customers
and suppliers is kept to a minimum and business as usual is restored as quickly
as possible. To ensure that happens, firms need to develop and test business
continuity plans, working their way through the business continuity lifecycle.
In practical terms this means:
OO Policy and governance
OO Business impact analysis
OO Threat and risk assessment
OO The business continuity strategy and plan
OO Testing the plans
OO Maintenance and continuous improvement
all of which we shall look at in the rest of this chapter.
201
Policy statement
The policy statement is the benchmark against which all business continuity
activity should be continually checked. Since confusion is often the major ob-
stacle to an effective response to an operational disruption, the policy statement
should clearly set out the level of business continuity the firm sets out to achieve.
It should include:
OO the firm’s operational framework for business continuity management
OO board-level sponsorship
Governance
Business continuity is not an IT issue. Like operational risk, it concerns the
whole business and threats to its existence. It therefore needs to be owned by
202
all parts of the firm, with a central point of accountability on the board. That
director will sponsor the ‘project’ and be responsible for ensuring that adequate
plans are in place and are regularly tested and reviewed.
Developing, reviewing and invoking the business continuity plan will
involve a steering committee which should be chaired by the board sponsor.
This should include senior stakeholders from business, risk, IT and other sup-
port management. Joining the group should mean a serious time commitment.
Apart from the time which is needed to develop a business continuity plan,
which is rarely trivial, members should be prepared to meet regularly during
the development and implementation phases of the project.
Both the plan and any testing of it should be independently reviewed and
audited, perhaps by the internal or external auditor. Whoever does it, reports
should go to the board, who are ultimately accountable for the project and,
more importantly, for business availability.
Threats
Before they actually happen, incidents are threats. The risk lies in the likeli-
hood of their becoming incidents and the potential impact if they do.
The incidents which are likely to trigger invocation of the plan are often exter-
nal threats or causes and largely outside your control. Where controls can make a
difference, the incident is likely to happen when those controls have failed.
Each organisation will need to determine the threats which it believes have
both sufficient impact and are likely to occur at some point as to be worth
considering. The list needs to be reviewed regularly to check the current
204
Impact assessment
Essentially, the method of assessment is the same as that used for building
and evaluating scenarios in the previous chapter, with the proviso that, with
business continuity, time is the critical measure of impact – how long will an
interruption have to last to be intolerable, if not catastrophic?
In risk assessment terms, the threats should be at the extreme end of the
spectrum in the low-likelihood, very-high-impact section, as measured against
a firm’s risk appetite. If the likelihood of a high (residual or net) impact event
occurring is considered to be greater than ‘low’ then it is not a suitable case for
business continuity. It needs to be dealt with now by a review of controls and
probably the introduction of new ones to reduce both its likelihood (if pos-
sible) and its impact.
Response triggers
When a threat turns into an incident, it will generate a response. The business
continuity plan formulates those responses. Response triggers usually come
down to half a dozen or so, that are typically variations on loss of premises, staff,
equipment, systems, a production line, key suppliers or outsourced activity.
One of the lessons of the London bombings in July 2005 was that the firms
which were able to respond best had concentrated their business recovery on
impacts and decision making, rather than the nature of a disruption and its
possible causes. As a result, following a more generic-based approach, they had
the flexibility to respond to a broad range of potential scenarios. The key point
about scenarios is not to get into too much detail with them. As with much of
business continuity planning – keep it simple.
Threats should be continually reassessed and reviewed. Whenever a new
threat is identified, it should be checked against existing response triggers. If
necessary, a new one can be added. The importance of each trigger is a mix of
the results of the business impact assessment and the sum of the likelihood of
the threats associated with it.
205
206
Example
Thinking about the response options
Business activity levels
What levels of business activity are acceptable, for what periods of time? Use
a series of levels starting with ‘business as usual’, through one or more ‘emer-
gency levels’ down to ‘no business’.
Staffing
Business continuity critically involves human issues (including families of
staff). In considering your strategy, always remember that human safety is
paramount.
Will there be sufficient staffing in the event of a pandemic, when significant
numbers may be quarantined? Would there be sufficient staff in the event of
no transport or very limited communications, such as mobile phones? Are suf-
ficient staff trained to carry out critical functions?
The SARS pandemic and 9/11 have emphasised the importance of planning
on the basis of there being no people available in a location. Are succession
plans adequate?
Locations
What alternative locations are there? These could range from a mirrored site
for immediate use with minimum downtime to working from home. For
most, it will probably involve relocating to a different site, often a syndicated
site. If you have chosen syndicated back-up facilities, will they be available for
all the people who might need them in the event of a ‘wide-area’ event? How
many times has each seat been contracted out in the event of an emergency?
How does the provider assess priorities?
For each kind of alternative site the important thing is for it to be outside
the risk zone of the primary site, and with separate sources of critical supplies
of telecommunications, power and water.
Communications
Another lesson from major, wide-area incidents such as 9/11 is that mobile
phone networks cannot handle the concentrated traffic. That means consider-
ing the whole range of alternatives: digital and analogue land line telephones,
mobile phones (with a reserve of spare batteries), satellite phones, websites, etc.
Where can phone lines be diverted to? What other switchboard/reception
facilities could be used? Importantly, how will you communicate with staff
away from the main site – whether at the alternative site or at home?
And, probably more importantly, how will the crisis management team
keep themselves up to date? It became apparent at the time of the London
bombings in 2005 that the best news of what was happening was coming from
satellite news channels. However, crisis management teams were in locations
without access to them, so that at times staff at the front desk were better
informed than they were.
207
Infrastructure – power
Will there be sufficient backup power? That problem was highlighted during
the major power grid failures in the NE United States and eastern Canada in
2003. The American Stock Exchange appeared to have sufficient backup elec-
trical power. However, the utility provided steam power which worked the
air conditioning system which began to fail as a result of the general lack of
electrical power, by which time there was insufficient time to relocate to an
alternative site. In the end, a backup steam generation boiler was installed,
with the loss of nearly a day’s trading.
Infrastructure – data and systems
How will we ensure systems and up-to-date data will be in place and avail-
able for use? What backup data centres exist? Which systems have fallbacks in
remote sites? Which systems have backups offsite? How often are the backups
sent offsite?
Infrastructure - utilities
In the event of an incident will we be able to rely on utilities such as power,
transport and telecommunications? Are there alternatives? If we depend on
them, have we tested the availability of supporting infrastructure such as clear-
ing or money transmission facilities, whether we’re a bank or not?
208
209
One word about the crisis management team before we move on to documen-
tation. They are the people who will have management responsibility when the
plan is invoked or tested. The team will have representatives from all relevant
functions, depending on the type of incident impact being considered. As was
pointed out in the previous chapter, unless the firm is so small that it is unavoid-
able, it should not have the CEO as a member. In the event of a crisis, the CEO
continues to run the business. The crisis management team runs the crisis.
However you document – Word file, Blackberry or sophisticated software
tool – make sure that it is manageable and readily accessible for all those who
will need it. Not everybody needs the whole plan. Work on a ‘need to know’
basis and plan at all levels, from enterprise-wide to individual departments, so
that staff have what they need at their level. There is no definitive list of the
types of information which a department may find useful during a crisis, but
remember that the more that is included, the more work will be needed to
keep it up to date.
When a department has an alternative location to relocate to, it can usu-
ally store whatever it may need there in the way of specialised equipment and
paper documentation. This is often referred to as a contingency box (or battle-
box). A list of its contents, together with the last time they were checked or
updated is a vital part of the plan.
Why test?
As the military often say, no plan survives contact with the enemy. Having
said that, thorough planning and training will give you a better chance of suc-
ceeding and your business surviving and being available as soon as possible for
business as usual.
As a result of the Hanshin-Awaji earthquake which struck Kobe and Osaka
in January 1995, Japan, including its financial system, spent considerable
effort refining business continuity plans in the light of the lessons learnt from
the earthquake. When the Niiagata Chuetsu earthquake, 6.8 on the Richter
scale, struck the Chuetsu region in October 2004, there was minimal disrup-
tion to financial services, despite the considerable structural damage. Frequent
lightning strikes in the region had also led to resilient plans to cope with loss
of telecommunications, power, water and transport.
Rather than endure an emergency, it is essential to test the plan – or exer-
cise it, as business continuity professionals prefer to say, echoing the military
– and learn the lessons. The point of a test is to practise and to learn. The more
you test, the more you can continuously improve.
It is often said that a business continuity plan is like a fire extinguisher –
it sits inert, possibly for years, but must be there and working when needed.
210
And as a plan must work under all circumstances, not just ideal ones which, by
definition, will not exist at the time, it needs to be tested as fully as possible –
to the limit in critical areas.
211
The test
The idea is to validate a process and identify weaknesses or errors in the plan.
It’s a learning experience.
The key to a good test – and a good plan – is documentation. Good docu-
mentation should be kept before, during and after the test to form a basis for
reviews and for the next test.
During the test, have an independent observer (or more than one, depending
on the scale of the test and resources available) to provide objective feedback
on how the test works, including the effectiveness of communication between
staff, the crisis team and others – and to note where things went well.
212
And keep the report readily available for next time. Otherwise, all those
valuable lessons will be lost and the next exercise will just repeat the mistakes
of the past.
Notes
1 See www.thebci.org, and references to research by Knight and Pretty of Oxford Metrics
relating to recoverers and non-recoverers.
2 Source, Coventry City Council 2006; www.bsigroup.com.
3 Business as usual, CBI Business Guide (London: Caspian Publishing), 2002.
213
215
216
Operational
Insurance Claim/
risk event
trigger loss
or peril
Operational risk often (perhaps too often) concerns itself with identifying and
measuring events. Insurance is also triggered by an event, but it then looks to
why the event occurred. A fire policy will pay for the damage caused by a fire,
but not if it is shown that the cause was arson on the part of the policyholder;
or if a sprinkler system on which the insurance was conditional had not been
installed. Insurance will pay for a theft, but possibly not if the alarm system
had knowingly been allowed to remain inactive for a period of time, or security
controls had lapsed.
The reason why will also determine which kind of policy will respond to an
event. Take fraud, for instance. In the case of a bank, it may be covered under
a Bankers’ Blanket Bond, assuming it was caused by employee dishonesty.
Non-banks will have similar policies covering employee dishonesty. However,
if it involved computer crime by somebody outside the firm, then a special-
ist Electronic Computer Crime policy might come in to play. A Professional
Indemnity policy’s fraud extension might be relevant if a third party was
involved. And finally, in a case like Enron, it could be that the company and
non-negligent directors will seek to claim under the company’s own Directors’
& Officers’ policy. In all of these, cause is the critical issue.
Buying insurance
The insurance buyer
To buy insurance effectively you need a clear understanding of your firm’s risk
exposure and also the effectiveness of controls already in place to mitigate that
risk. Given the costs involved, the analysis required and the fact that the whole
point of insurance is to be a mitigant to the residual risks a firm faces, it is
extraordinary how very often, in firms which have a risk function, there is little
or no contact between the insurance buyer and the risk department.
Too often risk buying comes out of procurement or premises management –
presumably on the basis that it is seen as having to do with property and cars
– or at best finds itself parked (possibly with the management of the car fleet)
in the company secretary’s office. So first make sure insurance buying is either
part of the operational risk function, which is where the relevant risk reports
are being captured, or at least has close contact with it.
217
Buying centrally also helps to ensure that cover is consistent and not dupli-
cated. Too often insurance buying is undertaken in the silos of the various
business units, wasting resource and money and probably not getting the best
insurance coverage.
218
historic data and resulting estimates of severity, the risk manager should be
able to work out a suitable limit or cap to the amount of cover he or she wishes
to buy. Figure 11.1 shows this in diagrammatic form.
Using the loss distribution curve for insurance buying: lognormal curve showing Figure 11.1
insurance portion
Mapping
In order to evaluate whether it is worth buying insurance, you must first assess
how far it covers the risks you have identified. That’s not too difficult where
the class of insurance maps neatly onto your loss event type, such as with fire
and property damage. But that’s a minority of operational loss events.
With operational risk, a number of causes can lead to a particular type of
loss event and a particular cause can trigger a number of different types of loss
event. In the same way, as we saw above with the internal fraud example, dif-
ferent types of policy will respond to a particular loss event, depending on the
cause, and a particular class of policy may respond to a range of loss events.
The Bankers’ Blanket Bond, which is essentially a crime policy, will cover
fraud and theft, for instance, two major classes of operational risk. But other
policies such as Electronic Computer Crime, Directors’ and Officers’ liability
and Professional Indemnity policies may also respond. Similarly, with theft
from banks, the Bankers’ Blanket Bond covers theft of physical property such
as computers, cash or artwork, but does not cover theft of intellectual prop-
erty. For that, again depending on cause, you may have to turn to a Fidelity
Guarantee policy (covering your own loss) or a Professional Indemnity policy if
a third party has suffered loss and the firm was unaware of the theft.
Where simple direct mapping from a risk category such as fire is not
possible to help assess the value of insurance, the best answer is to use scenarios
(see Chapter 9, Stress tests and scenarios). That is what the insurance industry
219
does, not only to understand its own underwriting risk exposure, but also to
evaluate its operational risk, as was noted in Chapter 9. If you use scenarios to
assess your operational risk exposure, use them to test your insurance cover-
age. Whether you are assessing insurance or operational risk exposures, a severe
enough scenario is generally produced by considering a number of serious
events happening over an appropriate time. In assessing insurance coverage, an
appropriate time could be the 12-month term of most insurance policies.
220
That points also to the importance of having data which enable you to assess
the net present value of the amount which is finally paid, allowing for the time
value of money – the time between an event occurring and the amount and
timing of an insurance settlement.
Types of policy
In this connection it is worth remembering that there are broadly three types of
policy: losses occurring, claims made and losses discovered (or discovery based).
With a losses occurring policy, the loss must occur during the period
covered by the policy. These are the types of policy with which most of us are
familiar in our private lives – property, motor and so on.
With a claims made policy, the insured must notify a circumstance,
accepted by the insurer, during the term of the policy, even though the event
may have taken place before that period. Into this category fall the various lia-
bility policies such as Directors’ and Officers’ or Professional Indemnity.
With a discovery-based policy, the policy responds to an event discovered
during the policy period, again even though the event itself happened some
years before. A good example would be an Unauthorised Trading policy. As a
class of insurance it was not available until some time after the Barings case in
1995, but it would have covered the Allfirst Finance case in 2001, where the
deceptions practised by trader John Rusnak went back over four years before
they finally came to light.
Table 11.1 gives some idea of the range of policies which a firm might con-
sider buying and how the policies fit in to the three broad categories of policy.
221
222
expenses whereas, for a captive, the charge can come down to 5%. This is driven
in part by the growth of captive management companies, which enable the
parent to benefit from not having to staff a fully functioning insurance company.
Other benefits of forming a captive include:
OO it may be the only way in which a parent can obtain cover for certain
risks, or at least cover at a reasonable price
OO being able to take a share of the more attractive layers of an insurance
programme
OO premiums paid to a captive, as well as its reserves, are available for
investment – until they are needed to pay for claims
OO reasonable premiums paid to a captive are tax deductible, whereas
reserves maintained to cover losses in the form of self-insurance are not
OO reinsurers may quote lower premiums to a captive due to the fact that
the parent is financially involved with its own risk: however, reinsurance
requirements can also be different from a traditional insurer, since risk
will be much less diversified
OO direct access to the reinsurance market should also mean lower premiums
since the costs have been avoided of going to the direct insurance market.
It is not uncommon for some captive structures to use a ‘fronting’ insurance
company, with the captive taking on the role of reinsurer.
Whether to use a captive or not depends on: a clear understanding of the
parent group’s risks and risk management; the true cost savings involved; and
the effect on earnings volatility of replacing the range of external insurances
with a substantial degree of self-financing, just as with self-insurance con-
sidered below.
However, for specialist needs, captives can be a more stable source of
insurance for a firm than traditional carriers – provided effective reinsurance
can be obtained.
223
Capital markets
For a number of years, capital markets and insurance professionals have been
working to see if a capital market instrument could be devised which would
protect against a firm’s overall level of operational risk. If so, it could mean
that investors outside the insurance market could be brought in and so increase
capacity for protection.
Such thoughts were prompted by the success of catastrophe bonds and other
instruments. Catastrophe bonds were developed following Hurricane Andrew in
1992 which, at a cost of around US$30bn, was the most expensive hurricane in
US history, until it was surpassed by Hurricane Katrina in 2005. The market
really began in earnest in 1997 when over US$500m of bonds were issued,
rising steadily to US$2bn in 2005 and then rapidly to US$7bn in 2007.3
Catastrophe bonds are issued by an insurer or other organisation. They are
neither insurance nor reinsurance but are structured as investments. There is no
requirement for an insurable interest. They provide for normal redemption at
term, but in the event of a catastrophe within predetermined limits of geogra-
phy, type and size of loss, the investors in the bonds contribute to the loss by
forfeiting their interest and/or principal. A typical example of a qualifying event
would be an earthquake occurring of a particular size on the Richter scale and
within a certain radius of a predetermined point, such as the centre of Tokyo.
They generally relate to property damage caused by a catastrophic natural
or man-made event. They are particularly attractive to investors in the harden-
ing market which follows ‘market-changing’ events such as Hurricane Katrina
and the attacks on the World Trade Center in September 2001, so that returns
can be considerable if no further catastrophe occurs. And indeed by the end
224
Self-insurance
The one alternative which is available to everybody is self-insurance – or not
buying insurance. Self-insurance is a perfectly reasonable option, provided the
risks have been fully assessed and managed. So the best form of self-insurance
is good internal controls. Self-insurance can, of course, be inadvertent – or
even deliberate, but badly thought out. For our purposes, let’s assume rational
behaviour and good operational risk management.
Insurance removes an element of financial uncertainty and replaces a
possible unknown large loss by a series of smaller known premium payments.
The rationale for self-insurance is that the cost of insurance in the form of pre-
miums is removed, as is the loss of the time value of money between paying
the premiums and receiving a claims payment. And of course the money saved
is available for investment. However, these benefits are offset by the volatility
of losses which may occur if insurable operational risk events occur.
If we return to the curve shown in Figure 11.1, it is highly likely that firms
will self-insure for the attritional losses, the cost of doing business. Where the
225
Conclusion
Insurance is probably the commonest form of operational risk transfer. It is,
however, one which is not well understood. If the right person is put in charge
of buying it across the firm – somebody who knows how it works and who
works closely with operational risk management to understand the firm’s risk
profile – then it can be a hugely business beneficial exercise. However, if you
fully understand your operational risk profile and what insurance offers, you
can also make an intelligent and informed decision to self-insure, which might
be just as business beneficial.
Notes
1 Iris Origo, The Merchant of Prato (London: Jonathan Cape), 1957.
2 The section on alternative risk transfer mechanisms draws extensively on sections of
Alternative risk financing: changing the face of insurance (London: Jim Bannister Developments
Limited), 1998, written by the inestimable insurance expert, Jim Bannister.
3 Guy Carpenter, The catastrophe bond market at year-end 2007; www.guycarp.com.
4 Ibid.
5 www.thomsonreuters.com.
226
227
B O A R D
AUDIT COMMITTEE
The first line of defence, the business lines, is responsible for establishing an
appropriate risk and control environment. Establishing and maintaining a
strong risk culture, agreeing the practical application of risk appetite and risk
definitions, putting in place adequate controls and operating the risk manage-
ment framework are all part of the day-to-day responsibilities of business line
management. Good risk management is fundamental to business success and
should be aligned to business objectives. That is why its primary responsibility
rests with the business, the first line of defence.
The second line of defence involves those who provide oversight over busi-
ness processes and risks, and monitor the proper implementation of risk
management policies and the risk management framework. They provide
advice and support to the business lines on risk management; they challenge
the inputs and outputs provided by the business lines in risk measurement and
reporting; and they ensure a consistent application of risk management policies
228
throughout the firm. Operating against the background of the board’s agreed
strategy and risk appetite, they are management’s assurance mechanism, pro-
viding reports to business line management and to the board. They challenge
the risk management information produced by the business lines, such as key
performance, risk and control indicators and risk and control assessments.
The third line of defence, the audit process, has two complementary parts
– internal and external audit. Internal audit provides independent assurance
to the board on the effective operation of the risk management framework
and validates the risk measurement process. External audit’s role is to give an
opinion on the financial statements. To enable it to do this, it has to assure
itself of the quality of risk governance and of controls over such things as ethi-
cal values, management style and values, and human resource policies and
practice. These factors provide the auditor with assurance that information
provided to it is likely to be transparent, rather than forming part of its assur-
ance to the board.
Independent assurance
Independence
In order to fulfil its function, internal audit must be functionally independent
from the activities it audits. Clearly it must be independent of the business
lines. Whilst it may have a direct line to the CEO or CFO for pay or rations,
they should not be its functional reports. Nor should the head of internal audit
report to the CRO. Since internal audit is required to provide assurance on the
risk management process, reporting to the CRO presents an obvious conflict
of interest. That conflict is not resolved by dotted line reporting elsewhere.
Dotted lines, like dual lines, are a fudge. Delete them.
Assuming there is an audit committee, it should report to the chair of
that committee. If there is no audit committee, it should report to the non-
executive chairman or senior non-executive director. The point of reporting to
the non-executive directors is that internal audit must have a direct functional
line to those who are there to oversee management and to assess the firm inde-
pendently and objectively on behalf of shareholders.
The approach of an audit committee should be trust, with verification.
Internal audit provides that independent verification. Reporting to the audit
committee will protect internal audit’s organisational independence and objec-
tivity. If internal audit reports only to the CFO, or another senior executive,
its independence is immediately called into question. In this chapter we shall
assume that the function to which internal audit reports is the audit committee.
Maintaining independence is easier said than done, especially in the face
of some regulatory demands. The Sarbanes-Oxley legislation in the USA, for
229
Assurance
From a risk perspective, internal auditors will normally provide assurance on:
OO risk governance and the risk management processes from board level
down, looking at their design and how well they are working
OO the management and oversight process for risks, including the effective-
ness of controls and other responses to them
OO the accuracy and reliability of the components of the risk assessment and
reporting process.
Whilst management, and especially those providing risk management oversight,
will challenge the accuracy of risk assessments provided by the business, there
needs to be an independent review to ensure the reliability and robustness of the
assessment process, including data inputs, assumptions and outputs.
There is no single method, partly because the nature of assessment processes,
especially with operational risk, is so various. Assurance concerns all aspects
of the process. It tests processes to ensure that information is complete, accu-
rate and valid. In this context, valid means that the information is genuine and
not fictitious.
A good example is the auditing of scenarios and stress tests, which we dis-
cussed in Chapter 9. Scenarios rely on judgemental and expert decisions, so
that independent review plays a key role in reviewing the process. Here are
some of the qualitative questions that could be asked about the process:
OO Were all the right people involved in the assessment?
OO Challenge by risk managers and others is an important part of the pro-
cess, but were the challenges consistent across the various scenarios?
OO Since they involve a significant degree of subjective judgement, scenarios
are notoriously open to human biases, as outlined in Chapter 9. Have
these been adequately considered and mitigated?
OO Have all the causes, events and consequences been included, and
included appropriately?
OO Has the process been adequately documented, so that it could be repli-
cated in a consistent manner?
230
231
233
the firm. Times have moved on. Operational risk is recognised as going beyond
systems and process. Whilst auditors can and should provide guidance, respon-
sibility for risk rests with business line management.
As an independent assurer, internal audit is, in fact, especially valuable and
necessary in operational risk. Operational risk managers are usually intimately
involved in the development of the operational risk framework within a cen-
tral team, or work in business units where they can offer advice and guidance
and are responsible for providing data inputs and resulting reports. That effec-
tively places them in the first and second lines of defence, a confusing enough
position. There therefore needs to be an independent assurance process of the
information they are providing and the methodologies used.
Where there is no risk management function, the internal auditor may act
as a facilitator in establishing a risk management strategy and framework. But
it is important that they do not compromise their independence or confuse
their role by taking risk decisions or being executive risk managers, however
attractive that role may seem.
Policy
Internal audit should operate within a clear policy statement, approved by the
firm’s board and management, which outlines:
OO its objectives and the scope of the internal audit function
OO its status and position within the firm, including its relationship to the
business lines and oversight functions
OO its competences, tasks and responsibilities.
The scope of possible responsibilities is wide. According to the Institute of
Internal Auditors,
‘Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a system-
atic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.’7
In addition, whether it is the audit committee or the board to whom in-
ternal audit reports, that body is not only responsible for financial reporting
and the process relating to the company’s financial risks and internal control,
but their concerns will also include non-financial risks such as whistle-blow-
ing, remuneration policy (including the information on which remuneration
may be based) and exposure to fraud, almost all of which require some degree
of internal audit assurance.
234
To add to the mix, internal audit has an outward looking role. First, it
should protect and safeguard the reputation of a firm by ensuring that ethical
and other guidelines or codes are adhered to through assurance of the process.
Second, it should be able and encouraged to take a broader view of the firm
and its environment and not be bogged down in the detail of process, impor-
tant though that is. The board needs to be clear from all of this exactly what
it wants from internal audit, but also consider internal audit’s ability to meet
changing expectations.
Finally, it is important that the audit agenda is shaped by the needs of the
business and not by internal audit’s capabilities. If that is not the case, its
resources and personnel will need to be changed.�8
235
Owner(s) of
the control
of the risk
Owner(s)
ID Risks I L S Controls D P E
236
237
238
strategy and timeline for migrating the responsibility for these services as
soon as possible to members of the management team. Advice and support is
one thing; taking risk management decisions itself quite another. Even being
involved in designing part of the process can lead to significant conflicts for
later audits.
Where internal audit does become responsible for some aspect of risk man-
agement, it cannot then provide independent assurance for that aspect. This
will have to be obtained from a suitably qualified independent third party.
If everybody is satisfied that internal audit’s independence will not be com-
promised and it is asked to undertake work beyond its standard and agreed
assurance activities, this should be recognised as a consulting engagement and
appropriate terms of engagement agreed.
Investigations
Events continually occur which require investigation and assurance. If the
request comes from the chairman of the audit committee or the non-executive
directors, there is no risk of internal audit being conflicted.
If, however, the request comes from management, they should seriously con-
sider using their own resources wherever possible, probably from those in an
oversight role (i.e. the second line of defence), leaving audit to fulfil its proper
role of independent reviewer and assurer.
Audit committees
The audit committee, comprising as it does independent non-executive direc-
tors, performs a key oversight role for the board and should be the critical
link between the board and both internal and external audit. In most finan-
cial sector firms, there will be a separate risk committee. That was also a key
recommendation by Sir David Walker in his report in 2009 on corporate
governance issues in UK banks, which was undertaken in response to the
financial crisis.10 However, in many firms, the audit committee fulfils both
functions. It therefore acts as a catalyst for improving both oversight and risk
management.
239
in the appointment of a new head of internal audit. The committee should also
ensure that the review of the effectiveness of internal audit is truly independent.
It is for the audit committee to agree the internal audit plan and any changes
to it. The committee may also wish to consider the extent to which it is able
to call on internal audit to perform investigations on its behalf. In all of this,
though, it must make sure that the board is kept fully advised of its activities.
For its part, internal audit needs to have a clear understanding of the
responsibilities and operation of audit committee and the expectations of both
the committee and its chairperson. In summary, the board, audit committee
and internal audit need to have a shared vision for internal audit.
240
241
Those qualities should, of course, apply equally to the members of the audit
team as well as its head, and are probably also valid when appointing a
new CRO.
There is an obvious need to be independent and to challenge and, if
necessary, keep on challenging. Inevitably, the job involves difficult and con-
tentious issues. Handling them with candour and frankness will generate
confidence in the function.
Communication is two-way. It is as important for internal audit to com-
municate its views effectively, as it is for the business to report to audit its
concerns and problems and not wait, in a destructive game, for audit to dis-
cover them.
Internal auditing is about continuous improvement, as is suggested in the
IIA definition, not merely checking that controls are working. To achieve
improvement you have to be a politician and understand both the culture of
the organisation and the art of the possible. You need to understand how to
gain acceptance for your recommendations – and not rely on some ill-defined
threat of whistle-blowing.
A key role of the head of internal audit is to build an effective audit team.
Ideally, it will come from a diverse talent pool of relatively senior and expe-
rienced people. Often, though, that is not possible. Where individuals lack
experience, they should be able to make up part of the deficiency through
common sense and pragmatism. One of the problems for any audit team is that
the people they rely on for information are also the people they are evaluating.
They need the skill to ask the right questions and to develop a ‘nose’ for assess-
ing the answers. Without those skills, the role becomes one of inquisitor rather
than constructive critic.
Long outstanding audit queries are a good indicator of the poor quality of
risk management in a firm and of its risk culture. They can also be an indicator
of the level of respect for the internal audit function, and even of the quality of
queries being raised. If it works well, internal audit will gain credibility and
respect from the business, who will therefore listen and seek advice from the
function, such as when a new project is being considered.
Much of the job is about building awareness of the value which internal
audit can bring. The obvious way is in providing the board and management
with objective assurance that the risk governance and risk management pro-
cesses are being operated appropriately and that the internal control framework
is operating effectively.
But internal audit can demonstrate its value in an active as well as a pas-
sive way. We have referred to internal audit as being a catalyst for continuous
improvement within the firm. In addition, people need to be made aware of
what it does and how it can help, perhaps through leaflets or the intranet, or
simply by networking.
242
Two of the best ways for people to see the benefits of the function are:
OO to second staff to it, and
OO to make sure that a term in internal audit is seen as a value-adding career
move which is remunerated appropriately.
Secondments are particularly useful because, when they end, the secondee will
go back into the main-stream operations. That way, audit’s knowledge of the
organisation is constantly refreshed and the quality of risk management and
internal controls will be continuously improved.
That is an excellent way for a good internal audit function to add real value.
Notes
1 See Michael Power, Organized Uncertainty (Oxford: OUP), 2009, for further discussion
on this point.
2 Sarbanes-Oxley Act 2002, s 201.
3 See www.frc.org.uk/apb for details of the Auditing Practices Board consultation in the
UK, October 2009.
4 Derived from Checklist – Evaluating the external auditor, KPMG Audit Committee
Institute, 2008, www.kpmg.co.uk/aci.
5 Sir Robert (now Lord) Smith, Audit committees – Combined Code Guidance, Financial
Reporting Council, January 2003.
6 Internal Auditing, November 2008, p. 26.
7 See www.iia.org.uk.
8 For further commentary, see In control: Views of Audit committee Chairmen on the effectiveness
of internal audit, PricewaterhouseCoopers; www.pwc.co.uk.
9 For further discussion, see IIA position paper on internal audit and ERM, January 2009,
at www.iia.org.
10 Sir David Walker, A review of corporate governance in UK banks and other financial industry
entities, November 2009; www.hm-treasury.gov.uk.
11 Neil Baker, ‘Internal auditing and business risk’, Internal Auditing, January 2006
243
Practical
5
operational risk
management
13. Outsourcing
14. People risk
15. Reputation risk
What is outsourcing?
Outsourcing – transforming operational risk
Deciding to outsource
The outsourcing project – getting it right at the start
Risk assessment
Some tips on the request for proposal
Selecting the provider
Some tips on service level agreements
Managing the project
Exit strategy
247
What is outsourcing?
Outsourcing is the transfer of selected projects, functions or services and the
delegation of day-to-day management responsibility to third party suppliers.
It is not confined to IT, nor even human resource functions, nor to offshore
outsourcing. It could involve the transparent transfer of part of the business to
a third party, or the transfer of a service, by white-labelling, to a third party,
including another member of the same group. It involves all agency arrange-
ments and could be by way of a joint venture.
In all cases, if it is to work effectively, both parties will work as partners.
Nearly all aspects of outsourcing risk management, as we shall see, revolve
around the need to establish a balanced and fair partnership between the out-
sourcing client (or buyer) and the service provider.
Although this chapter deals specifically with outsourcing, the principles and
management processes apply just as well to any major procurement or third
party dependency, such as the supply chain. Third party dependency is, in
fact, a useful generic term to describe the risk which we accept in any buyer–
supplier relationship, of which outsourcing is but one.
248
which printed the Goldfish statements, or the company which operated RBS’s
archive centre.1
So you cannot outsource responsibility, nor can you outsource reputation risk.
If the change you are making through outsourcing is likely to have an effect
on your customers, especially during the transition period, you need to have an
effective media and employee communications strategy in place, from the time
when the decision to outsource is made to when it has been successfully imple-
mented. Effective communication is the best mitigant to reputation risk and
also, as we shall see, to ensuring a successfully managed outsourcing project.
In this chapter we shall go through the outsourcing process, identify the key
risks at each stage and discuss the actions or controls which need to be in place
to reduce them.
Deciding to outsource
Benefits of outsourcing
When people are asked in surveys what makes a successful outsourcing deal, it
is noticeable that cost savings come a long way behind features such as:
OO concentrating management on core activities
OO achieving higher activity levels
OO improving customer service(s), and
OO improving financial control.
All of these help to improve the buyer’s competitive advantage, something
which should be a fundamental test of whether to outsource or not.
Outsourcing makes business sense by improving both the speed and quality
of customer service. A service provider may, for instance, be able to handle a
variety of resource-consuming compliance tasks more cost-effectively, and free
the buyer’s staff to concentrate on a major systems project.
In the best deals, where there is a true partnership, the buyer passes on exper-
tise derived from its strengths and the supplier is proactive in coming to the
buyer with innovative ideas. New products can come to market more quickly.
At a higher level, outsourcing can be a force for cultural change if it is part
of the transformation to a differently shaped and focused organisation. It can
also help in a merger, when it is often difficult to combine two infrastructure
cultures. Basing the future infrastructure on a third-party provider can remove
the problem and take it outside the politics. Outsourcing can thus be a major
force for changing and transforming the operational risk environment.
249
250
costs into variable costs and freeing up capital which would otherwise have to
be invested in non-core activities or large investment projects. The service pro-
vider has already invested in the necessary process and can provide the benefits
of infrastructure and economies of scale. Even more positively, on the question of
cash, outsourcing may bring a cash infusion, if the provider buys assets such as
hardware or software, or increased opportunities for revenue generation.
Cash benefits such as these are positive reasons to outsource. Cash benefits
based on cost-cutting are not.
251
Leaving aside the cynics who say that ‘core’ is the part of the business you can’t
sell, what is ‘core’ will vary from firm to firm. Does ‘core’ mean ‘strategic’? If
so, what is truly ‘strategic’?
In 1996, British Airways, which has always been an aggressive outsourcer,
was highly successful in outsourcing its customer correspondence function
from the UK to India. Some 2000 jobs were outsourced but only two redun-
dancies resulted in the UK as staff were redeployed to higher value, less
mundane, jobs. What is more, the function was more efficiently handled in
India and customer satisfaction rose.4 Following this, in 2001, the company
declared its intention to be a ‘virtual’ company, with its aircraft leasing, main-
tenance, ground handling, ticketing, IT, website, in-flight staff and even its
pilot staffing being outsourced. That just about left only the brand.
Similarly, Coca-Cola does not make Coke. It markets it and looks after
advertising and strategy, but most of the product is produced under licence by
bottling companies around the world. And Virgin merely badges the financial
services and mobile phone activities which bear its name. Perhaps managing
the brand and reputation is the real core activity, along with managing the
outsourcing contracts, which replace the previous core activity for these firms
of managing a large number of people.
But it is not just activities which are core. Some risks are so ‘core’ that they
also should not be outsourced. The Potters Bar rail crash, just north of London,
was a salutary lesson.
252
Since risks are threats to objectives, it is difficult to identify risks to the project
if clear objectives have not been set. Failing to set clear goals and objectives is
therefore a major risk in itself.
Too often projects go wrong because unrealistic timelines have been set at
each stage of the project. Or there is poor planning on the timing of the tran-
sition to the service provider and, importantly, on the effect the outsourcing
arrangement will have on employees and processes in other parts of the organ-
isation, and on areas of risk, including environmental and regulatory factors.
Once the decision has been made to outsource, the key to minimising failure
is preparation:
OO set objectives for the project
OO understand the scope of what is to be outsourced
OO be clear about the benefits you are trying to obtain
OO appoint a project team who will have day-to-day responsibility to run
the process and deliver a workable outsourcing solution
OO use your risk management system to manage the process and re-assess
the risks at every stage.
If you have agreed principles on how to manage the outsourcing process, you
will manage the outsourcing risks effectively.
Risk assessment
Once you have decided to outsource and have established a project team, the
next stage is to undertake a full risk assessment and identify the threats to suc-
cessful implementation. Initially, you need to undertake three risk assessments:
1. as you are today
2. the project itself
3. where you want to be.
Risk assessments 2 and 3 will help to frame the request for proposal (RFP),
the criteria for selecting the provider and, most importantly, the service level
agreement (SLA).
Risk assessments 2 and 3 will then be reviewed at each critical stage of the
project. When the SLA is signed, the provider should provide its own risk
assessment (4) and agree indicators by which risks are to be monitored. During
the transition period, a further assessment should be undertaken (5), but this
time jointly with the provider. It is at this point that real knowledge transfer
can take place in both directions.
253
To put it diagrammatically:
Goals RFI RFP Shortlist Site visits Selection SLA signing Transition
1
2
3
4
5
To make sure the risk assessment process for the project (2 and 3) is as compre-
hensive as possible, involve everybody who may be affected. That will include
HR, legal, PR, finance, procurement, those whose functions are being con-
sidered for outsourcing, and those who will interact with the function once it
is outsourced – and of course, risk management. If you have previous experi-
ence of outsourcing, draw on it. If this is the first time, remember that fact
when you consider the risks you will face.
Outsourcing will produce new risks at each stage of the project, especially
when the project has gone live and you have little day-to-day control. Here are
a few:
OO service delivery falls below expectation
OO confidentiality and security is not respected
OO contract is too rigid to accommodate change
OO failure to devote enough time and energy to managing the relationship
OO failure to provide sufficient resources in-house to safeguard the out-
sourced business processes
OO inadequate contingency planning by the provider
OO management changes at the outsourcing company – a frequent problem
which affects both performance and communication
OO the outsourcing company goes out of business.
As you consider these new risks, remember that a key mitigant is com-
munication, both with the service provider and especially with your employ-
ees. Communicate openly with them at every stage. Not only will this mean
that you get the best out of the outsourcing project, but you will understand
and be able to document the consequences for those who will be affected – a
fundamental part of the decision to outsource.
254
256
Pricing
Pricing is another key risk. Is there sufficient transparency in the supplier’s
pricing structure to ensure that you obtain the best value for money? Is there
absolute clarity about fixed, upgrade and on-going costs and their basis? Have
price escalators or volume-related costs been fully factored in? They may be
differently priced from the base standard. What about training costs and
257
pass-through items? We noted earlier (see It’s not about cutting costs) how final
costs can far outstrip those imagined when the contract is awarded.
If an outsourcing arrangement is not set up well and managed carefully, it is
not uncommon to find that incremental add-ons can increase the original costs
by as much as 50%. So do the analysis thoroughly and then stretch the results
through various activity scenarios. That should point you to the true costs –
and the true cost savings.
Data security
One risk which looms large in financial services, but also in other sectors such
as healthcare, is that confidentiality and security is not respected. What guar-
antees can the provider give about data security and information relating to
your customers? What security measures do they have? Do they subscribe to
and are audited against industry and, if appropriate, international standards?
Consider whether you need to run checks on their staff. That may be where
independent investigators reappear.
BA had failed to understand and make allowance for the links between Gate
Gourmet staff and their baggage handlers.6
If there is going to be any sub-contracting, the same checks and requirements
apply as were applied to the primary provider. Any significant or material sub-
contractor should be subject to approval by the buyer – on the assumption that
the definitions of ‘significant’ or ‘material’ have been clearly documented.
258
259
260
Another tip is to agree the operational details before you get to the legal
ones. This is a partnership after all. If you can agree operational and risk issues
before you draw up the legal document, you will avoid the risk of undue
entanglement with lawyers and legal jargon, and achieve a mutually beneficial
deal in a shorter timeframe which you can both sign up to.
And be strong. You have been through all the analysis and assessment. You
know what you want and why, so don’t allow a provider to dictate what you will
receive. Get what you want, which is, after all, what you need. Above all, do not
agree to finalise the scope, price or service levels after contract signature, or enter
into an agreement which relies on benchmarking to keep the supplier ‘honest’.
The contract is the deal. What is written down and signed is the service you
will receive for the next three to five years, so make sure it is what you want
and that as far as possible it is absolutely clear.
When you look at what an SLA typically contains, you will see that practically
every clause represents some form of risk control covering the elements of risk
management we discuss in this chapter. Table 13.1 shows some typical headlines.
261
Finally, having done your best to achieve an SLA which covers all your needs,
avoid over-reliance on it. It is just possible that the provider may be meet-
ing agreed service levels, but the contract is not successful because the wrong
things are being measured. Be prepared to go back to the table. To help that
happen, you need to make sure that the agreement allows for flexibility and
is not so rigid that it precludes change. If you are working with a real partner
that will not be difficult. After all, both sides want this to work long term.
Within the project team this will ensure that issues are escalated as appropri-
ate. It will also mean that lessons learnt from monitoring and reporting are fed
into the change management process and acted upon.
Within the buyer’s firm, good communication should ensure that staff,
especially those directly affected, are aware of the reasons why a particular
process is being outsourced and the benefits to be gained. As we point out in
Chapter 14, People risk, failure to communicate with staff effectively leads to
damaging gossip, rumour and loss of morale. Make sure staff who are being
retained know that as soon as possible. As we also point out in that chapter and
elsewhere, the key to good management, whether operational risk management
or otherwise, is trust.
If the people who are going to be directly affected are brought into the pro-
cess they can act as a risk mitigant in that their feedback may point to costs
or processes which have been overlooked in the financial and risk assessments.
And, on the basis that the outsourcing will only be successful if in-house staff
are working efficiently, it should reduce middle-management resistance which
can drain the project of many of its intended benefits.
Finally, on a staffing point, try to keep people around who were involved
in the negotiations. However clear you believe the SLA is, people and circum-
stances change. It is always helpful to have people available who knew the
intent and thinking behind the transaction.
263
Change
All outsourcing contracts will change. They are never static. After all, the
contract is probably for three to five years or longer. That does not mean jump-
ing about and over-reacting in month 1. No outsourced operation is perfect
from the start. There will be an efficiency dip in the first two to three months,
through inexperience and the additional checking required initially. After
that, regular monitoring should point to any aspects which require debate and,
if necessary, a change in the contract.
The governance team must be able to deal with change throughout the life of
the contract. Change control protocols are the administrative side of that. They
will form part of a ‘ways of working’ document, agreed at the outset, which will
also clearly state the goals and expectations of performance reporting and assess-
ment. The human side is that the team should be composed of people who are
open-minded and not wedded to the old ways of doing things.
264
Changes could relate to performance. But they could equally be about dif-
ferences of interpretation or changes in the environment for either buyer or
provider. So keep both the relationship and the contract up to date and make
sure the contract works for both parties and is flexible enough to cater for change.
Above all, document, document, document – throughout the duration of
the contract and immediately an event happens or a meeting takes place.
Offshoring
Because outsourcing is a partnership, there needs to be full collaboration
between buyer and service provider. That can be a particular challenge where
collaboration has to be with an offshore team, probably working within a dif-
ferent culture.
To make offshore outsourcing work as effectively as possible, you should
first make sure that you have a high quality local leader for the offshore team.
If you can then blend the offshore team with effective onshore specialists, the
benefits will be considerable and the risks much lower.
Part of that blending process is training. To be most effective, train the off-
shore team at the home office first, so that they can become trainers and leaders
offshore. They will understand and be able to transmit your values and culture
– and, of course, the training will give you a chance to understand theirs. The
more onshore people you can involve, the better. The whole team will become
ambassadors for the project and make it work.
Partnering in this way will also help to overcome the linguistic and cul-
tural barriers and risks which are all part of offshore outsourcing. People risks
such as these are a major element of offshore outsourcing and, apart from lan-
guage risk (both with the provider and involving local laws and professionals),
can include: different HR and employment law requirements; poor communi-
cations; different data protection requirements; or different ethical standards
regarding bribery. Many firms have suffered reputational damage when it has
emerged that their expensive products have been produced by ‘sweatshop’
labour. You need to establish in your SLA the standards you expect. In the case
of data security, that may be related to international standards, such as those
published by BITS or ISO 27001. In other cases you must spell out precisely
what your standards are and then make sure that monitoring them is part of
your regular monitoring and auditing process.
Finally, and inevitably when considering offshore outsourcing, there is cur-
rency risk. In 2008, for instance, the Indian rupee depreciated by over 23%
against the US dollar.8 Since most contracts with firms dealing in the dollar
will have been fixed in dollars, that represented a significant additional profit
to the Indian provider. Of course, that could work the other way, so where
contracts involve volatile currencies – and which currency is not volatile,
including the US dollar – one answer may be to include a clause which shares
profits arising purely from currency movements above a certain percentage.
265
Exit strategy
The SLA will provide for contingency plans to cope with serious problems
which arise during the term of a contract. However, there will be times when
the contract has to be terminated. There can be many reasons why it may
be necessary to exit the contract. Failure of the provider or failure to deliver
to the required standard or quality are the most obvious reasons. Action by
the provider which causes reputational damage can be another. Less easy to
predict – but something which should be monitored as part of regular risk re-
assessments – is the acquisition of the provider by a company which then
either sells it on or merges it with another within the group. That could well
justify and require breaking the contract and bringing a process in-house.
Within financial services it is a regulatory requirement that a firm should
be able to bring any outsourced activity back in-house. That means, as we
have seen above, maintaining appropriate resources, both trained people and
infrastructure, and having a clear plan to enable them rapidly to assume the
outsourced function. But all sectors must think about their exit strategy. If you
do not, you face the risks of becoming dependent on the provider, of losing
your negotiating power and of finding it difficult to move elsewhere.
You should also be able to exit for your own reasons and terminate with
reasonable notice under softer conditions than those resulting from breaches of
the contract by the service provider. That means being clear at the outset, and
in the contract, about:
OO the circumstances under which the contract may be terminated
OO how the activity can be brought back in-house (or passed on to a third
party)
OO who owns what assets, and
OO when compensation is due.
Above all, outsourcing is a partnership. If you have managed the relationship
as well as you should, even termination can be a collaborative operation.
Notes
1 Peter Haines, Outsourcing and business information: is anybody feeling sorry for the banks?,
www.complinet.com, 3 September 2008.
2 www.computerweekly.com, 17 April 2007.
3 John-Paul Kamath, Outsourcing ‘derailed by focus on ROI’, computerweekly.com, April
2007.
4 Elizabeth Knight, ‘Myths on outsourcing – week 2’ at www.articlesbase.com/
print/947426, 1 June 2009.
5 Joe Leahy and James Fontanella-Khan, ‘Outsourcing clients on the lookout for red flags’,
Financial Times, 22 January 2009.
6 For further commentary, see www.erconsultants.co.uk/ot/case_studies/gate_gourmet_
affair.
266
267
Introduction
The people environment
Mitigating people risks
Succession planning
The human resources department
Key people risk indicators
269
Introduction
When it comes down to it, most operational risks are ultimately the result of
‘people’ failure, whether at a strategic, managerial or operational level. ‘Our
people are our greatest asset’, we read at the end of the Chairman’s or CEO’s
statement in the annual Report and Accounts. True. But just as risk is as much
about opportunities as threats, so our people are also ‘our greatest potential li-
ability’. Yet firms rarely consider people management as such as the key ele-
ment of their overall risk management.
There are two sides to people risk: employees and their managers. Take
employees first. People are essentially honest; they do not come to work to
defraud or to cause disruption. However, leaving aside risk factors such as indi-
viduals’ lack of competence, training and experience, there are many aspects of
their personal or domestic environment which will affect their reliability from
day to day, or even from minute to minute. Times of personal stress – unem-
ployment, bereavement, relationship break-up, health problems, threats to
income (many of which feed off each other) – lead to behaviour, even criminal
behaviour, which would be out of character in stable times. Because people’s
personal circumstances change from day to day, assessing exposure to people
risk is difficult. The skill is to manage effectively, rather than to assess accu-
rately, which brings us to the other side of people risk – managers.
To pressures generated outside work can be added those created by poor
management and organisation within the workplace: lack of clarity about what
needs to be done; too little time to fulfil tasks; too many tasks; the complex-
ity of tasks and work processes; lack of support from colleagues or technology;
unreasonable managers. All of these add to stress and unreliability and increase
risk. They are symptomatic of an organisation which doesn’t rate people man-
agement as a priority.
We accept that our people are not going to be with us ‘from cradle to
grave’. As Charles Handy has put it: ‘Organisations are never again going to
stockpile people. The employee society is on the wane.’1 But we need to ensure
that we retain the best people and that all perform to their best ability. If we
can create the right environment to achieve that, we will at the same time con-
siderably minimise our people risks.
270
271
Leadership
The tone from the top
In a firm which has thought seriously about the behaviours it requires for
excellent performance at a firm-wide level, it is almost inevitable that senior
management will themselves ‘walk the talk’. There will be an environment of
trust, where people share common values, including a common approach to
risk, and work together in a culture of acceptable ethics and behaviours.
As is so often said, the tone of that culture, the ‘tune in the middle’, will
be set from the top, which is where, ironically, many of the biggest operational
risks in terms of impact can lie: a bad acquisition decision, losing the trust and
support of investors, lack of strategy or, if there is a strategy, failure to translate
it into an achievable operating plan. The CEO probably owns the biggest risks,
but risk registers often include the CEO only under the guise of ‘poor strate-
gic management’, an inadequate and broad risk category. This is to ignore the
specific risks mentioned above as well as other softer operational risks, such as
poor implementation of the business plan, poor communication both within and
without the firm, or loss of reputation, all of which lie at the door of the CEO.
If the CEO is assiduous in the attention he or she pays to the controls of those
risks, this will set a cultural and risk management tone throughout the firm.
Worse than poor strategic decisions, though, is a cancerous environment
where the CEO is complicit in dishonest and unethical acts. Or where only
the CEO appears able to make a decision, so that he or she is the sole reposi-
tory of what is happening in the firm. Or an environment in which bad news
is hidden: ‘the CEO wouldn’t like to hear that’ syndrome. So we don’t tell her
or him. There must be an atmosphere where staff feel able to criticise their su-
periors and where communication runs openly and freely up and down the firm.
Given the criticality of creating the right kind of environment, both to
improve performance and reduce risk, it is surprising how rarely the board, and
especially the independent non-executive directors, formally assess ‘the tone
from the top’, including taking soundings within and without the firm.
It doesn’t have to be complicated. An effective board, which does not
kowtow to the CEO, will keep factors like those under constant review and
take action including, if necessary, firing the CEO.
272
might otherwise have been the case. So honesty and integrity lie at the heart
of operational risk management.
Human nature being what it is, people have to be in a position where the
benefit of reporting losses or problems is greater than the risk of hiding them.
As a first step, that may mean establishing a system where losses are reported
anonymously. In a sense that is an admission of failure. In a culture of trust,
reporting losses, problems and potential risks is encouraged and rewarded by
positive feedback. It may be possible to internally ‘reimburse’ financial losses
which are reported. In some firms, reports on ‘near misses’ can earn reward points
which can be translated into catalogue prizes at the end of the year. It may sound
strange, but if it means near misses are recorded, and incident and loss recording
enhanced, future risks can be avoided and the control environment improved.
In the airline industry, for instance, reporting is an accepted part of the
culture. Airline pilots are expected to, and do, report errors they have made
during flights, so that training or systems can be enhanced, and risks to safety
reduced. For them, risk reporting is part of a process of learning and contin-
uous improvement, part of an environment in which everybody’s views are
valued and they are encouraged to contribute to ideas to improve their own
and other people’s performance.
Effective management
The other aspect of communication within the firm is that from management
down. It also needs to be full and appropriate. Relying on some form of infor-
mal cascade only leads to the risk of rumour and gossip. On the other hand,
the overly stage-managed town hall style presentation can be met with cyni-
cism and lack of impact, as well as irritation. People are different, as are the
messages, so the medium has to be tailored to the message and to the audience.
That way the risk of non-communication will be avoided.
Throughout this book we speak of the need for people to be clear about
their objectives and their role and responsibilities as regards risk management.
As we have frequently pointed out, every member of staff is involved in oper-
ational risk management. Clarity of roles and responsibilities is a fundamental
part of the risk management framework. One of the benefits of this aspect of
good risk management is that clarity of roles and responsibilities is also key
to making people aware of their position and worth within the firm. Where
people can explain how they contribute to the organisation, they will make a
positive contribution to its performance.
273
practices to be rigid, inflexible and stale – in other words unfit for purpose,
exposing the firm to more risk.
No firm is static any more than the external environment remains static. Firms
are always at some changing point of evolution and development – whether they
are growing or contracting. Growth may mean that the entrepreneur culture at
the outset has to be tempered by a more structured, control environment. The
original close-knit team gives way to a larger organisation which, for some, may
be uncomfortably bureaucratic. At a time of contraction, the effects of down-
sizing, restructuring and redundancy will have to be managed.
All these changes mean a changing operational risk environment and oper-
ational risk exposure which needs to be constantly re-assessed. From a people
risk point of view, a changing risk profile and risk environment may require
different skills being developed or brought in. It is management’s job to be
aware of changed conditions, and to be able to adapt quickly. In this way, risks
can be anticipated and their impact limited before they arise. Organisations
need to keep fit to remain healthy, just as do the people within them.
274
275
Selection
People risk often starts at the beginning with selection and choosing the
wrong people. Poor selection leads to cost and wasted management resource.
Effective selection is an opportunity to add benefit to the firm.
Who do we want?
OO Go for fit rather than capability. If you really want to place a piece of grit
in the oyster because you know you’re about to embark on a period of
serious change and need somebody who will effect that change, fine.
Otherwise, consider behaviours and choose the person who fits your
culture, rather than the person who appears to tick all the boxes of exper-
tise and experience. You can teach people competencies, but you can’t
change personalities. Or as Peter Schutz, former President and CEO of
Porsche AG, has put it, ‘Hire character. Train skill’.2
OO Psychometric tests. They undoubtedly have value, especially if linked with
the excellent behaviours you identified at the outset, and can provide an
evidenced rationale for your selection decisions. But they should be an
aid to judgement, not a substitute. If your gut instinct contradicts the
test, go with your gut.
OO Recruit with one eye on the future. We are often too certain about what and
who we are looking for. Have we really thought about the future and
where the firm and the industry is going? The world and the firm will
change – and sooner than we may think or like. Another reason to go for
fit – and flexibility.
OO The line manager. But does he or she have the skills necessary to inter-
view a potential employee? Do they have the technical knowledge of HR
policy and legislation? Is it clear what aspect of the selection process they
are dealing with? Too often, when HR is asked to draw up a contract for
a new employee, commitments emerge, which have been given by the
manager to the recruit, which diverge completely from the pay and ben-
efit structures around the firm. So take care about who plays what role in
the process and make sure they are clear about their role and the limit of
their authority.
OO Do you have a cadre of senior managers who understand the firm and
how it ticks and have proved their worth as good selectors? Develop
them into a panel to oversee all appointments over a certain level. They
will ensure that you select for fit.
276
The process
277
And are those above average scores really justified? Too often, when a
department head comes to HR to say that, for whatever reason, Mr X or Ms
Y has to be fired, they invariably find that the last couple of appraisals have
been glowing to the point of excellent. How strange that ‘good’ people become
‘bad’ when there are problems. Dishonest appraisals disproportionately increase
the cost of dismissal. If poor staff had been honestly appraised and identi-
fied sooner, when times were good, the costs of dismissal would have been
lower and recruiting a replacement would have been easier than it will be in a
downturn.
One reason for dishonest appraisals is that they continue, despite all the
rhetoric, to be an annual formal event. If so, they cannot provide a forum for
criticism which should have been made months before. We should be look-
ing at our staff – and our superiors – all the time and providing continuous
feedback so that the firm benefits from the resulting openness. That openness
will improve performance and develop potential, not just for the individual,
but inevitably for the firm as a whole. It should also mean that the formal
appraisal, when it comes, will contain no surprises.
From a risk management point of view, appraisals have a number of func-
tions. They are primarily the method of reviewing performance against agreed
targets. Since risks are threats to objectives, the firm’s or unit’s objectives
should form the basis of performance targets, both financial and non-financial.
Appraisals are a critical part of the risk control process and provide useful
indicators of overall people risk exposure. They are also a control on behaviour
and part of the process of maintaining a good risk culture. That is why they
should be validated across the firm to ensure consistency of this vital control.
360˚ appraisals, in which the appraisal involves everybody who has con-
tact with the person being appraised, whether above or below them, are
another way of reducing risk by reinforcing acceptable behaviours. However,
anonymity is hard to preserve and it can be difficult to keep 360° appraisals
honest. It all depends, as was highlighted earlier, on whether staff are encour-
aged to comment on and, if appropriate, criticise their superiors.
Finally, appraisals point to ways in which an individual can be developed
further, which may include training, to improve risk management or reduce
risk exposure. Staff are like diamonds; they require constant polishing.
278
People risks and indicators of training and development needs Table 14.2
Risk Indicator
Poor throughput Error rates; productivity
Employment law failures; discrimination Claims by staff
Loss of talent (through poor people Resignations of experienced/senior staff
management/culture)
Training and development may involve courses, but can also mean changes in
responsibility or environment. You never know when somebody will be miss-
ing. At a higher level, leadership should be developed within the firm. Firms
which don’t nurture their talent will see it leave to the competition, who have
spotted new opportunities. If development is switched off, firms will find
themselves with an even more desperate shortage of talent when it is needed –
whether for a downturn or an upturn.
But appraisals are not the only guide to personal development. The firm’s
objectives over the medium term will point to the skills required, so that a
skills audit should be regularly conducted to make sure the firm has a reservoir
of the right kind of both technical and leadership talent to fulfil its strategy.
Reward – or what does your bonus system say about your values?
Given the reams which have been written about the impact of remuneration
structures on behaviours which appear, to the public and politicians at least, to
lie at the heart of the recent financial crisis, it would be hard to consider people
risk without discussing reward and remuneration.
But before we deal with bonuses and the financial crisis, let’s establish a few
principles of good reward policies. At this stage it might be worth reminding
ourselves that reward is not all about remuneration. Remuneration – base pay,
variable pay, share options, other benefits – is the financial aspect of reward.
But there are non-financial aspects of reward which can be just as important to
employees: recognition; the opportunity to develop skills; career opportunities;
the quality of the work–life balance. They all form part of the overall reward
package and may be decisive in retaining a valuable employee – just one aspect
of people risk mitigation.
But to return to the core of reward – remuneration. Remuneration, like
appraisals, with which it is obviously closely linked, should reinforce the per-
formance and behaviours we require and discourage unwanted behaviour. It
279
should be based on what the firm considers to be good performance and help
the business achieve its strategic objectives, which should themselves be rooted
in sound risk management.
If remuneration is linked to performance targets which are closely allied to
business objectives, you will have gone a long way to linking remuneration
also to risk appetite. On an oil rig, managers are rewarded primarily for the
quality of their safety management. Hitting production targets comes second.
Remuneration both rewards and incentivises performance. It is not simply
a market wage. But it is also a balancing act between reward and risk. In
the recent financial crisis, did remuneration encourage ‘bad’ and overly risky
behaviour? Probably. But was that, in fact, the publicly visible reflection of a
poor risk management culture? Or even lack of any recognisable risk manage-
ment culture? They were both evidence of a remuneration policy which had
lost any connection with business strategy and objectives which were allied to
risk management, including especially the people risks within operational risk.
Nevertheless, a remuneration structure which was almost entirely fixed salary
based did not prevent the Japanese banking crisis of the 1990s.
These are all useful points to remember when we consider the guidance
which has emerged from governments and public policy makers in the wake of
the financial crisis. There are common themes and principles:
OO Remuneration policies should promote sound and effective risk manage-
ment and include a significant proportion of non-financial metrics in the
assessment process.
Of course remuneration should not encourage excessive risk taking. As
regards non-financial aspects, we have continually emphasised the impor-
tance of establishing the behaviours which will be rewarded, and not just
the achievement of financial targets.
OO An appropriate balance between fixed and variable remuneration should
be achieved.
From a firm’s point of view, the guidelines being proposed could see a shift
to a greater proportion of fixed pay, and a reduced incentive for executives
to drive for improved performance. Bonuses are not an evil in themselves,
but they should be used to drive non-financial behaviours and performance
as much as respond to the achievement of targets and profitability.
There is also a danger that the word ‘bonus’ is itself emotive. When
bonuses are ‘guaranteed’ they are simply an element of fixed remuneration.
OO Where a significant proportion of remuneration is in the form of a per-
formance-related bonus, the majority should be:
OO deferred for a minimum period (which will reflect the risks involved
280
281
Succession planning
Staff retention
The simplest form of succession planning is, of course, not to lose staff in the
first place. Retaining trained and experienced staff is a key to excellent risk
management. You cannot afford to lose both the commitment and the intellec-
tual capital of your best employees.
Since the human brain is the easiest way to carry information (and secrets)
out of a firm, you should look at how corporate knowledge has been developed,
documented and converted into intellectual capital. Has corporate knowledge
been compared with competitor knowledge to identify your intellectual as well
as your competitive advantage – and the risks if you should lose it? That’s one
strategy to reduce the risks which an ex-employee can cause either maliciously
or if, for instance, they can exploit their knowledge of your systems or strategy.
Employment contracts and gardening leave can get you only so far.
The opening of Heathrow’s new Terminal 5 in March 2008 was a good
example of how lack of a skills audit and failure to retain people with know-
ledge caused untold financial and reputational damage.
Another risk mitigation strategy to reduce the possibility of losing staff is,
wherever possible, the exit interview. It may be too late for the employee who
is leaving, but they may be able to give pointers which will help you retain
those who remain.
282
Your best employees will always be in demand. If you do not nurture your
talented people, they will leave for competitors who spot new opportunities
which may arise from destabilisation in the established marketplace. In the
end, the best risk control technique is a pro-active human resources policy
which seeks to create an environment in which people are valued, and there is a
strategy for retaining talented employees and for minimising the damage that
occurs when key people leave.
283
284
285
Looking at some of the people risk mitigants discussed above, we can see that
indicators concerning training and development can be developed: how many
staff have been identified with training or development needs? How many of
those needs have actually been fulfilled?
As with all indicators, the key is to get to quality rather than mere numbers
and to understand what the numbers are telling you. Staff turnover is prob-
ably the most common people risk indicator to appear on risk dashboards and
management reports. But staff turnover alone is a very blunt instrument. It
is not the number of staff, but the quality of staff leaving and the knowledge
and experience they take with them which is the issue, so do the turnover data
indicate loss of staff by experience and by appraisal grading? Is there a target
for turnover? In some areas, we might be concerned by turnover of, say, less
than six months. In a new project area, we might be devastated by the loss of
anybody in the team.
And what if we appear to be retaining more staff than we expect? Does that
reflect our excellent work environment and leadership – or are we retaining
staff who are below average, but who are being paid above the going rate for
their competence so that there is no incentive for them to leave?
Which brings us back to where we started – selection. If we choose the right
people; make sure they are clear about their role and the importance of their
job; give them opportunities to develop and learn; pay them according to clear
and transparent performance criteria which reflect the behaviours of the organ-
isation; give them regular feedback and dialogue with their superiors; and
make sure there is effective internal employee communication, we shall have
a successful business in which our people risks are being successfully managed
and mitigated.
286
Notes
1 Charles Handy, Beyond Certainty (London: Hutchinson, Random House (UK) Limited),
1995.
2 Quoted in Roger Steare, Ethicability (Roger Steare Consulting Limited), 2009, p. 72.
3 www.nhshealthandwellbeing.org
287
What is reputation?
Stakeholders
Reputation and brand
What is reputation risk?
Valuing reputation and reputation risk
How can reputation be damaged?
A framework for reputation risk management
Reputation risk controls
Tracking reputation risk
Managing intermediary risk
It won’t happen to me: what to do when it does
289
What is reputation?
As ever, Shakespeare got it right. Iago may have been cynically manipulating
Othello, but he was right in the one key element of reputation – it is all about
perception. It exists in the minds of others, and you neither own nor control
their perceptions. Which makes it difficult to manage.
PR can get you so far, but any reputation has to be genuine and based on
reality. If the credibility gap gets too wide between what a firm does and what
those who deal with it expect, its reputation will suffer and its business will
inevitably decline. Reputation risk management is about recognising the size
of the gap.
People evaluate a firm’s reputation on the basis of available informa-
tion. Some of that information may be controlled by the organisation, such
as annual reports or marketing materials. Other information may take less
obvious forms: a customer’s experience of service; the opinions of customers
in general; staff surveys; the views of all kinds of commentators from parish-
pump gossip, to blogger, to syndicated journalist, to campaigning activist.
Reputation is a subjective, composite assessment resulting from a number of
factors, among which trust will be the key ingredient.
As Morgen Witzel has put it: ‘A reputation is, in effect, the combined ex-
periences that many people have of an organisation over time.’1 Those experi-
ences and perceptions are dynamic and change all the time. Often that change
is caused by the actions or attitudes of others. If your peers and competitors
raise their game, your relative reputation will decline. If one of them behaves
especially badly, your reputation may suffer through guilt by association. It
can also change in response to social and other trends affecting how key con-
stituencies, the reputational stakeholders, understand these actions. The
perception you thought you had given may turn out over time not to be the
one the stakeholder sees.
290
Stakeholders
The stakeholders are not just those with whom you deal directly. They include
others, such as regulators and opinion formers, who effectively have in their
hands your licence to operate. They not only influence your direct stakeholders
but also those who may potentially become directly involved with you and, of
course, they influence each other.
291
292
very good reputation risk reason that reputation is in the mind of the stake-
holder and, for these purposes, a libel jury is a randomly selected group of
stakeholders, each with its own prejudices and backgrounds – and expectations.
We can look at various economic measures of the effect of reputational
damage – drop in sales, loss of earnings, changes in market capitalisation or
return on assets – but it is difficult to make direct correlations between these
and a perceived loss of reputation. There are too many assumptions and vari-
ables to make it meaningful. In any case, can behaviour and expectations be
measured in terms of money?
The simplest economic measure is probably the significant intangible,
goodwill, a key component of which will be reputation. For a service business
it may even represent its total value. As Alan Greenspan put it: ‘Manufactured
goods often can be evaluated before the completion of a transaction. Service
providers, on the other hand, usually can offer only their reputation.’ 3 But
goodwill can only be properly valued when a business is sold; even then, repu-
tation is just one of a number of factors in its valuation.
Another approach is to use a scorecard. Here again, the variables are many
and their weighting is notoriously subjective. As a basis for a scorecard,
many firms use the factors identified by Charles J. Fombrun, founder of the
Reputation Institute, shown in Table 15.2.
293
Fombrun devised it as a ranking model, by which the Institute can assess and
report publicly either on the universe of companies or on those in a partic-
ular industry. It is therefore akin to a rating system. As such, it is possible
that it can be self-reinforcing and affect corporate behaviour. Firms will game
the system. But it does provide helpful questions with which a firm can self-
diagnose its perception in the eyes of its various stakeholders.
In the end, the measure of reputation risk is the gap between stakeholder
expectations and actual performance. The value of reputation is, funda-
mentally, the cost of risk, which is the cost of recovering the trust formerly
enjoyed. That cost can be considerable. A survey by Burson-Marsteller of busi-
ness leaders, journalists and financial analysts in the US, suggests that it takes
four years for a company to restore its reputation following a major incident.4
Some of the problems which arise if reputational issues are poorly handled are
given in Table 15.3. It requires a considerable amount of resource and effort
to restore the trust of the various stakeholder groups identified in that list. At
worst, loss of reputation can lead to the complete destruction of the business,
as in the Enron/Andersen case.
Sadly, for some firms, the comfort of a filtered version of reality is prefer-
able to the real thing. One of the greatest threats to reputation risk is what
might be called institutional conditioning, a culture in which the organisation
hardly knows it is moving the boundaries between acceptable and unacceptable
behaviour. Another description of it might be ‘ethical creep’. Or firms behave
badly, get away with it and so go on and do ‘it’ again. Of course, in the case of
294
295
Enron, some senior executives knew exactly what they were doing. It has been
argued that institutional conditioning was at the root of the NASA Challenger
and Columbia space shuttle disasters.7 In the case of the Columbia disaster, there
was the added failure to learn the lessons of Challenger, perhaps another symp-
tom of institutional conditioning. NASA, in common with other firms – and
with UK Members of Parliament in 2009 – clung for too long to the belief
that its own interpretation of ‘acceptable behaviour’ was all that mattered.
296
Then there are areas which are only indirectly under a firm’s control but may
at least be managed through dealings with third parties:
OO client’s clients
OO agents
OO partners, suppliers, outsourcers
OO subsidiaries, affiliates
OO regulators and regulatory actions,
or even third parties it does not wish to deal with, such as money launderers or
hackers.
Finally, there are external events which cannot be controlled, but which can
have a serious reputational impact, for example:
OO the activities of a few fellow industry members which can have an impact
on the industry as a whole
OO unwarranted allegations, whether supported or not.
A key point to remember is that reputation is damaged by perceived failures,
even if they are not grounded in fact. A firm can be punished not because of
any failure on its part, but simply because it is being held to the wrong stan-
dard or even to one of which it is unaware. If public expectations are simply
‘wrong’, because of factual misunderstanding or misinformation, you need to
take the initiative to redress this. A word of warning, however: managers of
many a collapsed brand have blamed public ‘misunderstanding’ for their own
demise. You may not find sympathy if you offer the public a rationale which
is deeply unpalatable, or seen as out of step with changing standards of accept-
able behaviour.
Given the myriad causes of reputation risk and its ever-changing nature,
how do we manage and mitigate it?
Governance
Reputation risk is, at heart, a behavioural issue, both on the part of the stake-
holders and the organisation. You may remember the words of Professor
Mervyn King, which we quoted in Chapter 1, about the critical importance
of ‘the tune in the middle’. The point is not to hand down board initiatives for
reputation, but to ensure that everyone understands and lives up to the plain
truth that your firm’s reputation is in the hands of all your employees and
all those who act on your behalf. As they act in your firm’s name, people will
behave as they think appropriate. They will respond not to formal policies but
298
to ‘tone’; to the attitudes and behaviours of those around them, and those they
observe coming from board level. If those are ethical and open, then you have a
good chance that your employees’ and agents’ behaviour will be also.
The other reason why reputation management is in the hands of all man-
agement and employees is that, as we said earlier, the stakeholders are many
and various. In the Economist Intelligence Unit survey of international senior
executives quoted above, the question was asked: ‘Which of the following
have major responsibility for managing reputation risk within your company?’
Unsurprisingly, the top answer, with 84%, was ‘CEO/President/Chairman’.
There was then a sharp drop to 40% where we find: the board; CRO/Head of
Risk Management; heads of business units. And a further drop to 35% to find
the communications officer and compliance officer. Very surprisingly, when
the individuals were asked who in fact managed reputation risk, it emerged
that few of the executives surveyed took actual responsibility. There was no
formal reputation risk management process.
Perhaps that is because, although the CEO may personify the values and
conduct which ensure a company’s good standing, he or she should not have
the sole responsibility for reputation risk management. And nor should corpo-
rate communications for that matter. Responsibility should lie with whoever
is most responsible for the stakeholder group which may be affected by repu-
tational damage. Table 15.4 gives some examples:
Employees HR
Suppliers Procurement
Regulators Compliance
Trade unions HR
The advantage of ascribing responsibilities for reputation across the firm is that
everybody takes the issue seriously. The danger is that each part of the firm
operates in its own silo. There needs to be coordination. Given the number of
areas which are directly involved in protecting a firm’s reputation, it is probable
that the CEO’s role – or better that of the board – is one of coordination.
299
300
Using the risk register to identify possible reputation risks Table 15.5
Risk Employee Customer Suppliers Investors Agents Press Regulator
1
2
3
4
5
Once you have identified who might be affected, you can assess the likely scale
of reputation risk. Since that represents the gap between expectation and real-
ity, you first need to have a thorough understanding of the awareness of your
firm by all its various stakeholders. How well known are you? How much do
they trust you? How do they rate the quality of what you offer? What expec-
tations do they have of you? What promises do they believe you are making?
When something happens which may harm your reputation, the impact
will, in part, be affected by the goodwill you have with the relevant stake-
holder groups. So you need to establish a benchmark against which to assess
potential reputational damage. If you truly know what all of your stakeholders
are looking for in your business, you can reasonably assess whether the repu-
tational damage, if realised, is likely to be significant or not.
The best way to do that is to conduct surveys amongst your various stake-
holder interest groups. The surveys will establish not only your own reputation
but also how you compare with your competitors, since reputation varies as a
301
result not only of your actions but also of those of your competitors. The sur-
veys can take a variety of forms – face-to-face interviews, questionnaires, e-mails
– depending on how many stakeholders you have, how many of them are con-
sidered to be key, or how many you may need for a representative sample.
The next step is to establish your appetite for reputation risk, which is prob-
ably best done by establishing a scale of damage to measure the impact of an
event on your stakeholders. One example is given in Table 15.6.
Another example, which is used in the banking industry (see Table 15.7)
focuses mainly on a number of key stakeholders such as customers, regulators
and investors.
Table 15.7 Levels of reputational damage (example 2)
Level Reputational damage
1 No external effect
2 No media coverage; increase in customer complaints
3 Limited local or industry media coverage; large scale customer complaints;
possible account closures; no negative effect on share price.
4 Limited national media coverage; large scale customer complaints; some
customer loss; informal regulatory enquiry; potential negative effect on
share price; possible senior management involvement.
5 Sustained national and limited international media coverage; serious
customer loss; formal regulatory investigation or enquiry; negative impact
on share price; senior management involvement.
6 Sustained negative national and international media coverage; large scale
customer loss; formal regulatory intervention and fines; significant effect on
share price; direct senior management/board involvement.
Source: British Bankers’ Association Global Operational Loss Database
The important thing is to establish a scale, involving your own key stake-
holders, against which to test both your risk appetite and potential repu-
tational damage.
302
Having done the groundwork, you can now revisit the risk register and
determine the likelihood of suffering reputational damage, the adequacy
of your controls and whether an event would be likely to exceed your repu-
tational risk appetite.
Using scenarios
A highly effective method of considering potential reputational damage is to
use specific reputation risk scenarios as an assessment tool. They could be one
or a combination of incidents such as:
OO loss of a licence
OO adverse media campaign
OO legal dispute
OO loss of employees’ trust (e.g. following a whistleblower event)
OO adverse perception of selected products and services by customers
OO investigation by the regulator and resultant publicity.
In building scenario outcomes, consider each stakeholder and how they inter-
act with each other, as we did during the exercise on identifying reputational
risks (see Table 15.5). What are the information flows between them as well as
the information flows between them and you? Consider the incident or inci-
dents against the background of your risk and control assessment. A control
failure which you identify in the scenario exercise may affect other risks other
than those directly related to the incident itself.
Either method – risk register or scenarios – will produce a hierarchy of repu-
tation risk events or scenarios, and point to an effective action plan.
As suggested earlier, the scale of possible reputational damage may well
not present itself solely as a financial number, although significant costs may
be involved in restoring a stakeholder group’s trust in the firm. Reputational
impact is difficult to assess, since the range of impacts is large and much will
depend on the true causes, whether the problem is systemic or individual and,
crucially, on the speed and effectiveness of response to the problem.
303
304
touch with what is being said about you and be able to put in place appropri-
ate counter-measures.
Another aspect about the rise of social media – chat rooms, blogs, twitter,
YouTube and so on – is not just what outsiders say about you, but what your
employees say on them about you. Your employees hold your reputation in
their hands. We used to be concerned about an unguarded remark in the pub
or at a party. Now the risk is expanded through social media sites where it
reaches a much wider audience. Do you have a clear policy in the staff hand-
book for how employees can use these sites or what they may or may not say?
Have you established a tracking process to monitor what your employees are
publicly saying about you?
Apart from these ‘soft’ methods of tracking reputation risk, there are
numerous ‘hard’ indicators which may point to a changing reputation and can
be tracked over time. Amongst them are:
OO decline in revenues
OO decline in market share
OO difference between the market value and liquidation value of the firm
(effectively the movement in the value of goodwill in the firm)
OO number of customer complaints
OO number of product recalls
OO increase in regulatory attention
OO firm’s position on a publicly recognised reputation index.
But before dealing with what to do in a crisis, it’s worth looking for a moment
at relations with third parties.
305
OO cancellation rates
But it’s not a one-way street. The intermediary also has a reputation to protect
and needs to ensure that any interaction with the product provider does noth-
ing to harm it. The following is a checklist for intermediaries.
306
OO New products – what is the product design process: focus groups, stress
testing, product training?
OO Where has the provider had problems in the past and were they rectified
speedily and satisfactorily?
One point common to both checklists is that the results of both due diligence
and ongoing review should be clearly documented. For the intermediary it is
especially important to document why the provider’s product has been chosen.
As with all aspects of reputation risk management, this is not only about
the down-side. Where providers and intermediaries work together, their repu-
tation can be enhanced.
307
308
OO recognise where trust lies and don’t breach it (contamination was the
worst possible crisis to afflict a brand associated with natural purity.)
OO make sure you have a coherent and consistent communications policy.
And above all, don’t make light of the seriousness of the situation or imply
that ‘these things happen’.
Deal with the problem as quickly as you can and follow the 3 Cs10� shown in
Table 15.8.
A classic example of how to deal with a reputational crisis was Johnson &
Johnson’s handling of the reputational problems arising from the Chicago
Tylenol murders in 1982. It demonstrated all the qualities of speed, concern,
commitment and control.
Johnson & Johnson and the Chicago Tylenol murders (1982) Case study
The Chicago Tylenol murders occurred when seven people died after con-
suming capsules of Extra-strength Tylenol for pain relief. The capsules
had been laced with potassium cyanide.
Since the capsules had been manufactured at different factories, it was
evident that sabotage during production could not have occurred.
Reputational risk response
The first death occurred on 29 September 1982. Johnson & Johnson, the
parent company of McNeil, immediately distributed warnings to hospi-
tals and distributors and halted Tylenol production and advertising.
On 5 October, Johnson & Johnson issued a nationwide recall of all
Tylenol products – some 31 million bottles with a retail value of over
US$100m.
309
The company also advertised in the national media for people not to
consume any products containing Tylenol.
When it was established that only capsules were involved, they offered
to exchange all Tylenol capsules for solid tablets.
Remember your own employees. They are key stakeholders and crucial advo-
cates in defining your reputation. So make sure they’re involved in the
communications exercise from the start.
As to who does the communicating, you should ideally provide one spokes-
person, with one message, certainly in dealings with the media. Otherwise
there is the danger of mixed or conflicting messages which will only make the
situation worse.
Equally important is to make sure that whoever appears for you knows what
they’re talking about. Accept that for some purposes a line manager simply
will be a better communicator than the chairperson, although the latter should
be seen to be involved.
Certainly, the board will want to be kept aware of, and possibly involved
in, the strategy for responding to a crisis of reputation. But the most impor-
tant thing is to keep an eye on the various stakeholders, and to communicate
with each of them in the way they would most expect and appreciate, prefer-
ably through the relationship manager (see Table 15.4). Any reputation crisis
plan should ensure that crises are tackled by the appropriate person in the firm,
with a consistent message, and soon.
Finally, it is a fact of life that in the court of public opinion you have no
right to remain silent – although anything you say may, and probably will, be
used against you. You must answer the charges as presented, however unrea-
sonable. The court of public opinion also operates a harsher regime than a
court of law: you are guilty until you can prove you are innocent. Sentencing
and punishment, in the shape of public vilification, starts immediately.
Regarding the Enron case discussed earlier, Andersen eventually won its battle
in the legal courts. But by then the clients had long since deserted, and the
firm and its reputation were destroyed; the legal victory was hollow.11�
Let Shakespeare have the last word:
‘The purest treasure mortal times afford
Is spotless reputation: that away,
Men are but gilded loam or painted clay’.
(Richard II, I, i, 177-9)
310
Notes
1 Morgen Witzel, The terrible cost of reputational loss, Financial World, July/August
2009, pp. 53–55
2 Quoted in Stuart Fagg, Reputation risk management beyond the spin, Risk, 18 August
2006.
3 Commencement address at Harvard University, 10 June 1999.
4 Alison Maitland, Barclays banks on a good name, Financial Times, 19 February 2004,
p. 11.
5 8th annual CEO survey, PricewaterhouseCoopers, 2005.
6 Aon, Global Risk Management Survey, 2007.
7 See Diane Vaughan, The Challenger Launch Decision (Chicago and London: University of
Chicago Press), 1996.
8 Economist Intelligence Unit white paper, Reputation: Risk of risks (London: EIU), 2005.
9 Nick Davies, Flat Earth News, 2006.
10 The 3 Cs themselves are fully discussed in Judy Larkin, Strategic Reputation Risk
Management (Basingstoke: Palgrave Macmillan), 2003.
11 Tim Prizeman, Director of PR advisers, Kelso Consulting, in Internal Auditing,
December 2008, p. 33.
311
313
314
316
leading and lagging 124–5 key risk indicators (KRIs) 52–3, 116,
people risk 279, 285–7 117–21
periodicity 123–4 King, M. 18
and risk and control assessments King Report 6
119–21
targets and thresholds 121–3 lagging indicators 124–5
leadership 272–3
indirect hard events 96
leading indicators 124–5
indirect loss 61, 78
Lean management 26, 33
indirect soft events 97
Leeson, N. 4–5
industry-based information 177, 186
legal risk 9, 44
information asymmetry 218–19 levels
infrastructure 206–8 firm levels and risk appetite 47–8
institutional conditioning 294–6 risk and control assessment 66, 68–9,
insurance 31–2, 84, 160, 215–26 74–5, 83
alternative risk transfer mechanisms likelihood (frequency) 61, 77, 78, 79–81,
222–6 85–6, 183–4
buyer 217–18 limits of exposure 14
buying 217–21 ‘living wills’ 189–90
carrier 222 Lloyd’s of London 177, 186
and chain of causality 216–17 location 100, 206–7
coverage 218–19 London bombings 2005
evaluation 220 lessons 205
mapping 219–20 loss capture form 106
operational risk and 216 loss distribution approach (LDA) 149,
types of policy 221 151–5
integrated risk management 187 losses 22–3, 26, 28–9, 61, 72, 87,
intermediary risk 305–7 95–114
internal audit 39, 58, 93, 227–43 actual losses and near misses 97
audit committees see audit committees amount of 49–50, 104–5
and consultancy 238–9 back-testing impacts and likelihood 80
effective 241–3 data attributes 99–106
and external audit 231–2 direct and indirect 78
independent assurance 39, 40, 41, expected and unexpected 48–9
229–31 external loss databases 110–13
and risk management oversight 233–4 loss event types 102, 103
number of 53–4
role of 234–9
reporting 107
internal data 158–61
reporting threshold 107–8
internal measurement approach (IMA)
role appetite in relation to actual loss
147–9, 151–5
experience 49–50
interviews 91 scenarios and loss numbers 177–8
investigations 239 use of 108–10
see also events
Johnson & Johnson 309–10 losses discovered policies 221
losses occurring policies 221
key control indicators (KCIs) 117–21 lost data 98–9
key people risk indicators 279, 285–7
key performance indicators (KPIs) Macmillan, H. 200
117–18 major events 114
317
318
oversight 39, 56–7, 228–9, 231, 233–4 quantitative governance standards 156–7
owners 81–3 quantitative risk assessment 77
control 70, 82–3 questionnaires 91
risk 70, 81–3, 133, 168–9
Railtrack 252
partition dependence 182 random words 185
people risk 8, 9, 19, 32, 265, 269–87 ranges vs single figures 79–80, 88
appraisals 277–8 ranking of risks and controls 169–71
HR department 284–5 Ratner, G. 100, 300
indicators 279, 285–7 RBS 248–9
mitigating 275–82 recoveries 98
people environment 270–4 recruitment 276–7, 286
reward 279–82 regulatory risk 9
selection 276–7, 286 relevance of reporting 130–1
succession planning 282–4 remuneration 237, 279–82
training and development 278–9 reporting 21, 22–3, 26, 30–1, 107,
percentages 79, 87 129–43
performance of a control 61, 86–7 basic principles 132–5
performance management 277–8 benefits 30–1
periodicity 123–4 and blame or closed culture 272
Perrier contaminated water case 74, 308 common issues 130–2
pie charts 136–7 internal audit 237–8
Piper Alpha oil platform 4, 6 linking model data and reports 163–4
planning 252–3 outsourcing 264
people risk 273
audit 235
relevance 130–1
business continuity 209–13
report definition 135–6
testing the plan 210–13
styles and techniques 136–40
policy 202, 234–5, 251
threshold 107–8
Potters Bar train crash 252
timeliness 133
power infrastructure 206–8
reputation 290–2
preventative controls 85–6, 124, 164–5 and brand 292
pricing 30, 257–8 damage 74, 294–8
Principles of Good Business Conduct 271 valuing 292–4
priorities 235–7 reputation and brand committees 300
probabilistic approach 190, 191, 196 reputation risk 9, 32–3, 179, 265,
process maps 69 289–311
process risk 8, 9 appetite 48, 302–3
processes controls 303–4
business processes 66, 72, 74–5 crisis management 307–10
operational risk management 42 managing intermediary risk 305–7
provider, selection of 255–60 risk appetite 48, 302
provisions 92 risk management framework 298–303
tracking 304–5
qualitative data 131–2 request for proposal (RFP) 253–4, 255
qualitative governance standards 155–6 resourcing 237
qualitative modelling 166–71 responses
qualitative risk assessment 77 choosing the best 206–8
quantitative data 131–2 triggers 205
319
320
321
Practical
Comprehensive
Essential
Available now from
http://www.pearsoned.co.uk
9780273719298
AD.indd 1
Z02_BLUN7323_01_SE_INDX.indd 326 25/6/10 09:48:16
29/06/2010 09:52